Please tell this to my companies IT department. They've finally moved to Azure and Onedrive with it, but are still forbidding any files downloaded to devices or email attachments being send to external addresses because otherwise it's unsecure.
So everyone is still using WeTransfer/Dropbox/whatever like they were in the years before.
We keep a low profile. Separate network, very limited interaction with "corporate IT" (which is outsourced). We keep infosec onside by making our liason feel we are across things. Allows us to sidestep a lot of problems, because ultimately in a large company people don't have to
Took me 15 years to realise that incompetence is at worst ignored, and often leads to promotions.
I've spent 3 years telling corporate IT they have a problem with a router config that limits throughput, we got 3mbit rather than 1Gbit. They spent 3 years insisting it wasn't them, and it was the upstream ISP. I even managed to get read only snmp access, and generated cacti graphs of their router showing 400M (iperf2 in udp mode, so 400kbit/ms) going in on port channel 1, but not emerging on the ISP interface.
My shadow-IT deparement spent 3 years paying for a completely separate network connection to bypass the corporate IT one and meet our requirements (easy to do when it's a remote branch office in another country), other departments just suffered it. It was the backup link so only used about 1 day in 10.
Eventually a senior member of (non-tech) staff resigned over the issue and it started being taken more seriously.
The way this system is designed (giving the front door to corporate IT) was done over my objections, and the objections of many others, but on paper it was good. Corporate IT provide shiny SLAs (which mean squat).
Last week, 12 months after the resignation and the beginning of taking it seriously, it had been escalated through 4 different layers of corporate IT, and eventually they came back and said "we've found an errant access list and removed it, and it's now fixed".
That's it. 3 years telling them what the problem was, 3 years of being ignored, and what happens? Certainly no blame for the idiots that made the decision to use this, no comeback on corporate IT provider, but if people find out about shadow IT they kick up a fuss (so the trick is to keep quiet and keep good personal relations with potential pain points).
Oh yes, we outsourced our corporate IT. Obviously there's no money coming back, I suspect we'll get a bill.
So everyone is still using WeTransfer/Dropbox/whatever like they were in the years before.