BYOD, shadow IT and mitigating risk

Hybrid working opens a potential Pandora’s Box for IT security

While debate will no doubt continue, it seems likely that working patterns have been changed irrevocably – latest figures suggest that around a fifth (22%) of the GB workforce worked at least one day a week at home, almost double the pre-pandemic level (12%). 

Hybrid working brings with it new challenges and concerns particularly in terms of IT infrastructure and support with the potential heightened use of ‘bring your own device’ [BYOD] and Shadow IT. 

A quarter of those surveyed already have a formal BYOD company-wide policy (24%), whilst a similar proportion (26%) agree BYOD on a case-by-case basis, and 6 in 10 (59%) believe that Shadow IT occurs in at least some parts of their organisation. Half (51%) agree that ‘Shadow IT has increased with the rise of hybrid working’.

Those who use BYOD generally consider its introduction to have been successful, although just over 1 in 10 (12%) feel unable to comment – whilst this might be down to the individual respondent’s role not focusing on this specific area, it may also point to a lack of formal assessment as to the effectiveness of BYOD (particularly amongst those organisations only adopting it informally on a case-by-case basis).

BYOD is likely to place additional strain on internal IT teams

Nine in ten of those organisations using BYOD have security measures in place to cover the practice, although many of these are standard IT policies, such as password requirements and data transfer provision, which are likely to be adopted on any work device, be it employee or organisation owned. Data wipe upon contract termination, installation of company approved anti-virus software and device maintenance may raise additional BYOD challenges for any internal IT team, particularly if a variety of different devices are being used (an issue raised as a concern by over a third of those currently without a BYOD formal policy). 

Amongst those without a formal BYOD policy, the key concerns centre on compliance (61%) and data removal/retrieval (53%). 

BYOD further compounds the prevalence of Shadow IT, its associated risks and resourcing implications

Of those without a formal BYOD policy, a third (34%) are concerned that implementing BYOD will lead to an increase in Shadow IT within the organisation. This is a realistic expectation, given that employee-owned smartphones and computers are likely to be loaded with applications, software and tools that they use and are comfortable with, and so will want to continue accessing. 

An increased prevalence of Shadow IT is clearly of concern, when the vast majority of those organisations currently with Shadow IT report experiencing security issues (80%) and/or compliance regulatory issues (74%). It is perhaps unsurprising that over 8 in 10 (84%) feel that Shadow IT results in a lack of visibility for the IT department. 

Despite more efficient working and effective collaboration often being cited as a potential benefit of Shadow IT due to increased familiarity with the apps and tools being used, and improved accessibility for non-company users, 6 in 10 of those organisations with existing Shadow IT have experienced collaboration challenges as a result (59%). Almost as many have experienced Disaster Recovery issues (55%). Indeed, our mixed audience of IT and business professionals estimate that they spend on average 11% of their week addressing issues caused by Shadow IT.

Seven in ten agree that ‘Shadow IT poses a security risk to my organisation’, whilst over half (53%) disagree that ‘the advantages of Shadow IT outweigh the challenges’ (against just over a quarter agreeing – 27%).

Mitigating risk must be the focus

It is probably too late to put the genie back in the bottle: with 59% reporting some occurrence of Shadow IT in their organisation, and a quarter (26%) saying it extends across the majority or all departments, the focus must surely be on mitigating any risks posed – especially if hybrid working and BYOD are likely to continue unabated.  

Central to mitigating risk is identifying the extent of Shadow IT use within the organisation. Understanding the non-company applications, software, hardware and tools that employees are turning to, and why, may help to identify gaps in the company IT provision, which can then be filled by approved versions. Risk assessments and audits can help to identify Shadow IT use which poses a serious compliance or security issue, and so allow these to be addressed before any damage is done. 

Just over 7 in 10 (72%) are able to state ways in which their organisation is mitigating or planning to mitigate against the risks posed by Shadow IT, most commonly with employee education (48%) and provision of approved tools (45%).  

With almost one in three (28%) reporting that they are unsure or are not currently mitigating against the risks of Shadow IT, there is still room for improvement in the management and prevention of risks. 


‘The impact of remote and hybrid working on workers and organisations’, published 17 October, 2022

The survey findings are based on quantitative interviews conducted in December 2022 with 226 Vanson Bourne Community members. All respondents are UK based, representing a range of commercial sectors.

As a member of the Vanson Bourne Community you’ll gain access exclusive to a variety of insights reports just like this one, based on research with our members. 

From supplier to partner

In our earlier report ‘Security is a team sport’, we explored whether organisations have the necessary expertise or headcount to deal with all IT and IT security needs in-house. Almost half (46%) of the Vanson Bourne Community members we surveyed were using the services of a Managed Services/Security Services Provider [MSP/MSSP] to support IT needs, and specifically to access their IT security expertise. 

Whether it is direct assistance from IT security vendors or from a MSP/MSSP, end-user organisations may well be open to help in terms of managing the risks posed by hybrid working, BYOD and Shadow IT. On the whole, IT budgets would appear to be holding up sufficiently to finance such additional support, with over a third (35%) stating that their 2023 IT budget will see an increase, with a further third (32%) believing it will remain stable. 

Getting on the supplier radar

To be in with a chance of securing any additional IT support work generated through hybrid working and the challenges it brings, IT vendors and MSP/MSSPs must first be on the radar of the end-user organisations as a potential supplier. 

Almost all of our audience access additional information about their role and/or industry (96%), most commonly to understand new technologies (82%) and/or to further their skillset (71%). Half are looking to understand the latest threats (51%).

Given the focus on ‘understanding’, it is unsurprising that online articles and publications capture the largest share of voice, being accessed most (69%), and most frequently (87% of those reading, do so at least monthly). 

Newsletters and online forums also feature strongly with almost 1 in 2 using, most commonly on a weekly basis. Although not accessed as regularly, webinars and online courses prove popular, no doubt reflecting the ‘new normal’ of online working following the pandemic. 

If wanting to engage customers directly, IT vendors need very visible online content providing in-depth insights into new technologies and threats, and if appropriate, to be offering relevant interactive sessions/training through forums, webinars and courses. 

In using vendor websites, our decision-maker audience are laser-focused on the information and functionality that will facilitate a quick and easy purchase: access to prices (68%), easy navigation (57%) and multiple contact points (50%). Clear messaging is also important for almost half (46%), with the potential for this to key into the essential supplier traits of availability, flexibility, and consistency – as well as demonstrating sector expertise (as outlined in the following section).

Making the leap from Supplier to Partner

Having established a presence, and so hopefully a foot in the door, the aim must surely be to move from one of many providers to a trusted and integral business partner. Our audience identify availability of support, flexibility and consistency as essential if a supplier is to stand out from the pack – to move out of the friend-zone to be truly ‘loved’.

‘Understanding the client’s target audience’ is also of importance, with over 1 in 10 (13%) selecting it as the supplier trait that they love the most. 

Excelling as an IT Vendor Support Team

Despite living with Zoom, MS Teams et al for over two years, customer preference for communicating with a vendor support team is a live telephone chat with an agent – over a quarter (27%) select this is their first-choice touchpoint, and over half (59%) select it within their top three. Reality is not too far removed from this, with over half (55%) currently interacting with vendor support teams via telephone chats, although email is the touchpoint used most commonly (74%).

There is an apparent mismatch with self-service portals, more experience this in reality than would select it as a preferred option (47% vs. 36%), whilst the inverse is true of a live online typed chat with an agent (32% vs. 41%). Reflecting the preferred characteristics of ‘loved’ suppliers already identified, availability of support is most likely driving this, with the immediacy of a live chat answering this need.  

Indeed, when asked for the most important characteristics of an effective IT vendor support team ‘responsiveness’ is cited by 8 in 10. Proactive problem solving (70%) and knowledge & training (66%) are also key, whilst clients appear to be relatively less concerned about the operational nuts & bolts of the support team, such as offering automated solutions (15%) or having few unopened tickets (25%). 

Thriving in our hybrid world…

Hybrid working brings real challenges to end-user organisations in terms of their IT infrastructure and services, there is a growing need for IT vendors and MSP/MSSPs to: 

  • Provide guidance through online articles, insight and training to highlight the pros & cons, particularly the potential threats associated with hybrid working, BYOD and Shadow IT
  • Potentially offer services to help develop viable company-wide BYOD policies, which can be easily monitored and audited
  • Similarly, audits of existing Shadow IT use may be of value to end-user organisations, including risk assessments of the apps, software and hardware being used, and recommendations on approved tools to adopt in order to fill any existing gaps in employee needs.

In offering such services, to be a true partner and not just a provider, IT vendors must focus on availability of support, flexibility, and consistency of service – ideally delivered via a one-to-one ‘real-time’ support channel. 


The survey findings are based on quantitative interviews conducted in December 2022 with 226 Vanson Bourne Community members. All respondents are UK based, representing a range of commercial sectors.

As a member of the Vanson Bourne Community you’ll gain access exclusive to a variety of insights reports just like this one, based on research with our members. 

Blog: Security is a team sport

External threats are rife, and appear to be on the rise, while internal resources are stretched, all reflected in regular media headlines that cyber criminals are on the front foot, moving closer to achieving their corrupt objectives. Even the Electoral Commission has been subject to a data breach, more on that here.

However, we’re not here to preach about the rights and wrongs of what organisations are doing to protect themselves. Instead, we will examine one possible option for organisations as, alongside their vendor partners, they look to stem the tide and elevate their IT security posture. This ray of light comes from the utilisation of managed services providers (MSPs)/ managed security services providers (MSSPs).


Embracing external support to alleviate internal issues

It’s true that sometimes too many cooks spoil the broth. In business that proverb can rear its head in various ways – whether too many people being involved in a process causes a decision-making bottleneck, or teams end up at cross purposes on a project, there are a number of ways where a smaller, more streamlined team can be of benefit. This may also be true when it comes to IT security. However, in an ever-evolving space, where knowledge and expertise translate into power, surely the more brains there are working towards a common goal, the greater the chances of success when it comes to defending against cyber criminals. 

The one thing to bear in mind here though, is that not all organisations have the expertise or the headcount in-house to throw towards IT and IT security needs.

The way in which respondents’ organisations’ IT departments are structured begins to highlight potential expertise and/or headcount shortfalls. Larger companies (1,000+ employees) are notably more likely than their smaller counterparts to have one overarching IT department, but with this large team also including a group that focuses specifically on IT security – i.e., a team of dedicated experts exclusively working on keeping the business secure.

It is therefore probably fair to assume that the IT teams within the smaller surveyed organisations – particularly those with only 1-49 employees – are in a tricky position when it comes to both headcount and security expertise as they aim to maintain a secure environment for the rest of their colleagues. And this provides a good basis for explaining why these are the organisations most likely (31%) to be utilising an MSP/MSSP in tandem with an internal individual/small team to manage their IT security needs.

Sharing expertise and responsibility

But this doesn’t tell the whole story – overall, almost half (46%) of surveyed organisations are leaning on an MSP/MSSP to some extent for their IT security needs, with this even applying to the largest surveyed organisations (5,000 or more employees) where 45% report that this is the case. Our two cents – this can only be a positive thing – the more brains at the table working towards securing organisations the better, while it also highlights the value that these service providers can offer. This line of thinking is supported by the fact that 59% of respondents from organisations using an MSP/MSSP for their IT security requirements, report that the IT security expertise offered by these third parties is among the reasons for their use in the first place – making it by far the most commonly reported reason.

Aside from the expertise that MSPs/MSSPs can offer, there is also the added bonus of easing the burden of responsibility on internal teams that are often already stretched and struggling from a skills perspective. This is clear from the 40% and 31% of our Community members respectively reporting that they don’t have the headcount or skills in-house to manage their organisation’s IT security needs.

It would, of course, be a stretch to say that without an MSP/MSSP organisations will inevitably fall victim to a security breach, but it stands to reason that the added support wouldn’t go amiss. Further to that, it seems fairly evident that once a partnership is in place, end user organisations, IT security vendors, and MSPs/MSSPs must seamlessly work together if they hope to stave off the continuous barrage of threats that they’re up against.

This is perhaps best demonstrated by the ways in which respondents’ organisations keep up to date with the latest threat intelligence. Approaching half (48%) do so through their product vendors ending alerts on specific threats to their products, while only slightly fewer (43%) utilise specific threat intelligence tools from their vendors. And MSPs/MSSPs can also play their part by keeping end user organisations up to date with the latest intelligence, as is the case for 28% of those surveyed. 

End user organisations clearly require assistance, so it’s up to IT security vendors and service providers to help ease that burden and help to mitigate the risks at play. 

Stronger together – maximising IT security

All in all, the situation seems pretty clear – whether the partnership is just between the end user organisation and their IT security vendors, or whether there is also an MSP/MSSP in the mix as well, it is critical that all parties are singing from the same hymn sheet when it comes to maximising IT security efforts. 

Security is, after all, a team sport, and until everyone involved recognises and buys into it, there will always be an avoidable opening in white hat security defences, with the damages of a breach having the potential to impact all of those who could have prevented it, to varying degrees.


These survey findings are based on qualitative and quantitative interviews from September 2022 with 216 members of the Vanson Bourne Community, our network of IT and business professionals at the forefront of their industries. 

As a member of the Vanson Bourne Community you’ll gain access exclusive to a variety of insights reports just like this one, based on research with our members. 

What do our members think?

“Vanson Bourne Community sends me interesting IT related surveys. The rewards I receive are generous and I love that I can send them to a selection of charities.”
Operations Manager, Financial Services
"I have been part of the Vanson Bourne Community for many many years now, and the surveys are always interesting and do make me think about my understanding of topics, its great being part of the group."
Head of Technology, Media
"Vanson Bourne Community surveys are relevant to my job role. The surveys are well designed and not repetitive. The survey incentives are variable, extremely fair and delivered quickly. This is by far my favourite panel."
IT Manager, Financial Services
Come and be part of our great community!