Anyone who has spent a bit of time trying to calculate the lost productivity caused just the meetings needed to discuss breaches (internal, accidental), knows it's great ROI.
Everyone greatly overestimates ROI in their own area of expertise and greatly underestimates costs in the rest.
You might be right in some special instance, but generally you are not. One example: Sending files via Email is a security problem. So you prohibit this via settings, virus scanners, appliances, etc. Now you've solved the emailed worm problem. However, you've just created a "how do we move files/data/screenshots/..." problem for the whole company. Now everyone will need their own special solution for everything, support will need a screenshot upload tool because you cannot just email them screenshots anymore, marketing won't be able to do images in mails anymore, external people won't have access to internal file shares, etc.
Please tell this to my companies IT department. They've finally moved to Azure and Onedrive with it, but are still forbidding any files downloaded to devices or email attachments being send to external addresses because otherwise it's unsecure.
So everyone is still using WeTransfer/Dropbox/whatever like they were in the years before.
We keep a low profile. Separate network, very limited interaction with "corporate IT" (which is outsourced). We keep infosec onside by making our liason feel we are across things. Allows us to sidestep a lot of problems, because ultimately in a large company people don't have to
Took me 15 years to realise that incompetence is at worst ignored, and often leads to promotions.
I've spent 3 years telling corporate IT they have a problem with a router config that limits throughput, we got 3mbit rather than 1Gbit. They spent 3 years insisting it wasn't them, and it was the upstream ISP. I even managed to get read only snmp access, and generated cacti graphs of their router showing 400M (iperf2 in udp mode, so 400kbit/ms) going in on port channel 1, but not emerging on the ISP interface.
My shadow-IT deparement spent 3 years paying for a completely separate network connection to bypass the corporate IT one and meet our requirements (easy to do when it's a remote branch office in another country), other departments just suffered it. It was the backup link so only used about 1 day in 10.
Eventually a senior member of (non-tech) staff resigned over the issue and it started being taken more seriously.
The way this system is designed (giving the front door to corporate IT) was done over my objections, and the objections of many others, but on paper it was good. Corporate IT provide shiny SLAs (which mean squat).
Last week, 12 months after the resignation and the beginning of taking it seriously, it had been escalated through 4 different layers of corporate IT, and eventually they came back and said "we've found an errant access list and removed it, and it's now fixed".
That's it. 3 years telling them what the problem was, 3 years of being ignored, and what happens? Certainly no blame for the idiots that made the decision to use this, no comeback on corporate IT provider, but if people find out about shadow IT they kick up a fuss (so the trick is to keep quiet and keep good personal relations with potential pain points).
Oh yes, we outsourced our corporate IT. Obviously there's no money coming back, I suspect we'll get a bill.
I appreciate you're giving an example, but this is pretty much solved at most big companies currently with OneDrive (or any other flavor of cloud storage). For external sharing, you just select if the link can be seen external to the org.
SharePoint is fairly good at sharing files: it allows upload by drag and drop, it supports versioning and approval of documents with a decent user interface, it offers a reasonable organization of users and permissions. Running SharePoint is anything but trivial, but with some discipline it can actually solve problems for end users.
For external people likely not, usually Sharepoint would be behind some VPN and Firewall. Some cloud service like Dropbox might work if allowed (which it often isn't). And then there will often be the resulting sprawl of various services: this for secret internal stuff, that for external people, yet another thing for marketing, etc.
This just tells us that we shouldn’t discuss breaches so much? My one experience with a breach has been that the whole process around it was a collosal waste of everyone’s time.
You might be right in some special instance, but generally you are not. One example: Sending files via Email is a security problem. So you prohibit this via settings, virus scanners, appliances, etc. Now you've solved the emailed worm problem. However, you've just created a "how do we move files/data/screenshots/..." problem for the whole company. Now everyone will need their own special solution for everything, support will need a screenshot upload tool because you cannot just email them screenshots anymore, marketing won't be able to do images in mails anymore, external people won't have access to internal file shares, etc.