KnowBe4 has released a new report showing half of the employees at shadow IT companies use unauthorised file services to complete their work.
The security awareness training and simulated phishing platform adds that this is a serious risk for companies in the sector.
KnowBe4 says the research report looks at the prevalence of two common insecure practices using survey responses from more than 435,000 participants across global regions and industries.
The first analysis covers the use of unauthorised cloud services to store information and communicate in the workplace. The second analysis reviews the prevalence of downloading content through unauthorised file-sharing networks using work computers.
The company says one significant issue to note is that the Asia and Oceania regions have concerningly high rates of both practices.
In contrast, Africa is consistently the best performing in these areas.
Additionally, finance and technology-based industries are comparatively better than many other industries, while construction, manufacturing, educational and government-based organisations are the poorest performing.
"The findings from this research are very concerning because employees are exhibiting insecure behaviours that are putting their organisations at significant risk," KnowBe4 chief research officer Kai Roer says.
"The concept of shadow IT has a direct impact on the level of security culture exhibited at an organisation.
"To combat shadow IT, organisations should focus on strengthening their security culture and increasing employees' level of security awareness.
"It is especially important for employees to understand and take responsibility for how their insecure behaviours can ultimately affect the organisation's reputation and bottom line."
Founded by IT and data security specialist Stu Sjouwerman, KnowBe4's services are used by over 47,000 organisations worldwide.
The company says it assists these organisations in addressing the human element of security by raising awareness about ransomware, CEO fraud, and other social engineering tactics.
This report comes after the company recently released research which found 59% of APAC office workers don't believe using their work email for personal activity is a security risk to their employer.
Furthermore, less than four in ten (39%) say they consistently report suspicious emails and SMSs to the IT team responsible for cyber security.
In addition, 51% say they engage with suspicious emails and SMSs.
Almost half of APAC office workers (46%) say they are not confident in identifying which emails are legitimate and which are scams, and 48% feel the same way about identifying SMSs.
However, when tested, that number fell even more, with only 3% able to correctly identify all the genuine and scam emails and SMSs.
"The obvious first issue with this is that if APAC office workers are unable to identify scam emails and SMS messages then they are at significant risk of getting phished or smished, risking both their security and that of their employer," KnowBe4 security awareness advocate for APAC Jacqueline Jayne says.
'Smishing' refers to malicious SMSs, 'phishing' refers to malicious emails, and 'vishing' describes malicious phone calls (live or recorded).