What is Shadow IT?
Shadow IT can be defined as the use of unauthorised tools and applications. In the Financial Services industry, shadow IT has become an increasing, silent threat, where sensitive client data and compliance are critical.
Insights from our Cyber Resilience in 2025: Overconfidence could undo resilience gains in Financial Services report reveal why Financial Services in particular lead in unapproved software use and how this could negatively impact cyber resilience.
This blog will explore the associated risks with shadow IT within Financial Services and highlight the findings from our report to combat the mounting issues associated with its use.
The Current Shadow IT Landscape in Financial Services
Based on e2e-assure’s research, 42% of cyber risk owners in financial services organisations cite unapproved software as a top concern, which is the highest across the sectors we surveyed.
Generative AI tools are coming into play such as ChatGPT and Microsoft CoPilot are increasingly being incorporated into business operations, with 41% of employees using these tools regularly, often without approval. It’s expected that this number will continue to increase in 2025.
Worryingly, while 80% of cyber risk owners are confident in their established AI policies, only 47% of the employees we surveyed knew what those policies were. This gap is a key theme throughout the research, creating opportunities for data leakage and phishing attacks, highlighted by the wider of issue of overall phishing messages increasing by 202% in the second half of 2024 (Infosecurity-Magazine.com).
Why Financial Services Tops the List
1. Mounting Pressure for Speed:
While the speed of response in the sector is paramount due to the need to protect sensitive client data, resilience must be prioritised through a ground up approach, with the right assistance. Jobs within the sector demand coping under high pressure, which has led the adoption of unauthorised tools to improve productivity.
This urgency also often results in employees bypassing security protocols, increasing risk of exploitation.
2. Complex Regulatory Environment:
Compliance is a key factor to cyber resilience in the Financial Services industry. Regulations such as DORA legally require organisations to invest in secure cyber security measures, however, shadow IT complicates adherence to these policies.
Unauthorised tools may not meet the strict compliance requirements, leaving organisations unknowingly vulnerable to potential audits and financial penalties.
3. Legacy Systems and Processes:
Financial services often rely on outdated, legacy technology, prompting employees to seek modern, efficient tools outside IT’s oversight. If processes do not allow for optimum productivity, employees may decide to skip vital steps and compromise compliance.
The Shift to Resilience
1. Mean Time to Detect (MTTD) vs Mean Time to Respond (MTTR)
To encourage and ultimately achieve good cyber hygiene, organisations should move away from the mentality of ‘how quickly can we detect a breach (MTTD)’ and instead think about ‘how quickly can we respond to a breach (MTTR)’. This switch in mentality towards a response-based focus encourages a stronger emphasis on cyber hygiene and how security operations can create policies and processes to prevent the impact on day-to-day operations if an attack occurs. This may include implementing best practises such as zero trust policy, strong back up procedures and attack disruption to remove compromised accounts and EUD (end-user devices) from networks if they’re showing malicious activity. These actions and cultural changes are the difference between a resilient and non-resilient organisation.
2. Training and Culture:
Tailored, scenario-based training can boost engagement in Financial Services. A simple change that has big impact according to our research is to implement scenario-based examples – with 82% of employees being more likely to engage.
Focus on role-specific risks, such as social engineering for client-facing staff and secure data handling for analysts.
Promoting a security-first culture and fostering open dialogue will encourage teams to be more transparent about the tools they use, improving efficiency and reducing unauthorised technologies within the business.
3. Leveraging the Technology:
Although investing in Detection and Response tools gives businesses the ability to see the threats within their network, unauthorised software will go completely under the radar if it is not configured within the tooling.
This is why culturally, there has got to be a level of transparency from employees regarding their software use or these investments will not be fully optimised, leaving gaps in an organisation’s network defences.
Well configured EDR tools and monitoring policies can have a large positive impact on Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). Organisations like e2e-assure can outline and implement these changes to provide an SLA of MTTR to critical incident in under 15 minutes, significantly reducing the impact and lateral movement of attackers.
When security teams gain accurate visibility into all technologies used across the business and employees understand the risks of unapproved tech, they can respond and detect threats more quickly.
Conclusion: Strengthening Resilience Against Shadow IT
To summarise, financial services organisations must address the shadow IT problem to safeguard data and maintain compliance. By building a culture that is aware of policy and bought in on the reasons for them being in place, organisations can rest easy that shadow IT is not causing risk for their business.
For more insights and actionable strategies, download Cyber Resilience in 2025: Overconfidence Could Undo Resilience Gains in Financial Services and our Hero report, Cyber Resilience: Futureproofing AI Adoption.
