The Shadow IT-DLP Gap: New Survey Data on How Company Data Actually Leaves the Building
See Venn first in Google Search
Add as a preferred source on GoogleMost data loss prevention programs are built to guard the front door: the corporate network, the managed laptop, the sanctioned app. But a growing share of company data isn’t leaving through the front door at all. It’s slipping out the side doors — personal inboxes, home Wi-Fi, a laptop that was never enrolled in anything — long before a DLP alert would ever have a reason to fire.
To understand how often this actually happens, we commissioned a survey through Dynata asking employees how they really handle work data day to day. The results put hard numbers behind something most IT and security leaders have suspected for years: a meaningful share of business data is moving completely outside the systems built to protect it. This isn’t a story about malicious insiders. It’s a story about ordinary, well-intentioned employees working around infrastructure that wasn’t built for how they actually work — and what that means for any organization relying on traditional DLP to catch it.
Enforce DLP on Unmanaged Laptops
Learn how to keep sensitive data secure when contractors and remote workers use personal laptops.

In this article:
What the Data Shows: Three Ways Work Data Leaves Company Control
30% Send Work Files To or From Personal Email
According to a recent survey by Venn, nearly a third of employees admit to routing work files through personal email at some point – attaching a document to a Gmail message to keep working from home, or forwarding a file to a personal account because the company inbox wasn’t accessible from a personal phone. Once a file lands in a personal email account, it’s outside company-controlled retention, encryption, and access policies indefinitely. There’s no revocation mechanism if that employee leaves, and no audit trail if that account is ever compromised.
20% Work From Unsecured or Public Networks
One in five employees say they’ve done work on unsecured or public networks – coffee shop Wi-Fi, an airport lounge, a home network with no meaningful segmentation. This is where BYOD environments create a particular kind of exposure: the device connecting to sensitive systems is the same device a household uses for everything else, and it’s doing so over a network the organization has no way to inspect or secure.
20% Store Work Files on Personal Devices
The same share of employees report storing work files directly on personal devices — a spreadsheet saved to a personal laptop, a client file downloaded to a home desktop for offline access. Once that data is resident on a device the company doesn’t manage, it stays there. There’s no remote wipe, no encryption enforcement, and no visibility into who else might have access to that machine.
Individually, each of these behaviors looks like a minor convenience. Together, they describe a substantial and largely invisible channel through which company data routinely leaves the environment DLP tools are built to monitor.
Why Traditional DLP Can’t See Any of This
The uncomfortable truth is that none of these behaviors are unusual or hard to explain — they’re just invisible to the tools most organizations rely on to catch them.
Network DLP Assumes a Corporate Perimeter That No Longer Exists
Network-based Data Loss Prevention was built for a world where sensitive data traveled through a corporate gateway that security teams controlled. That assumption breaks down the moment an employee works from a home network or public Wi-Fi that never routes through anything the company can inspect. A file uploaded to a personal cloud account from a coffee shop simply never generates traffic a network sensor can see.
Endpoint DLP Assumes a Managed Device That Was Never Enrolled
Endpoint DLP fills part of that gap, but only on devices that carry the agent. The moment work happens on a personal laptop, that visibility disappears entirely. Network DLP and endpoint DLP have complementary blind spots: one misses data that never touches a managed device, the other misses everything that happens once a user steps outside the monitored path. For organizations built around BYOD, contractors, and hybrid teams, that combination leaves a wide and largely permanent gap.
The Real Cost of the Shadow IT-DLP Gap
This gap isn’t just a theoretical visibility problem; it shows up directly in breach statistics and audit outcomes.
Compliance Exposure
For organizations operating under HIPAA, PCI DSS, SOC 2, or similar frameworks, every one of these behaviors is a potential audit finding. A file that moved through personal email or sat unencrypted on a personal device is, by definition, outside the controls those frameworks require — regardless of whether anything went wrong.
Breach Investigation and Containment Delays
Unmanaged devices don’t just increase the odds of an incident; they make incidents harder to resolve. Recent industry analysis found that roughly half of organizations experienced a data breach tied to an unmanaged device within the past year, and shadow data of any kind tends to extend both detection and containment timelines. When an investigation can’t establish where data went or what device it touched, every subsequent step — legal review, notification, remediation — takes longer and costs more.
Why Employees Do This Anyway
It’s tempting to treat this as a training problem, but the data doesn’t support that read. The 2026 Verizon Data Breach Investigations Report found that the large majority of malicious-insider incidents trace back to convenience rather than intent — the canonical example being an employee emailing a file to a personal account just to keep working. The same logic applies here.
Convenience Beats Policy Every Time
Employees aren’t weighing DLP policy against personal risk tolerance. They’re weighing “finish this task now” against “wait for IT to provide an approved way to do it.” When those two things conflict, the task usually wins, policy or no policy.
Blocking Tools Doesn’t Remove the Behavior, Just the Visibility
Restricting personal email or blocking cloud storage domains rarely eliminates the underlying need — it just pushes the same behavior somewhere even less visible. An employee blocked from one channel typically finds another, and each substitution moves further from anything security teams can monitor.
Closing the Gap Without Overreaching
The instinct to respond to this data with more device control is understandable, but it usually creates a different problem: employees and contractors have a reasonable expectation of privacy on their own hardware, and solutions that require full device enrollment or broad monitoring tend to produce friction, pushback, and the exact workaround behavior they were meant to prevent.
Isolating Work Activity vs. Monitoring the Whole Device
A more durable approach treats the work itself, not the entire device, as the security boundary. Rather than trying to detect data movement after the fact across every possible personal channel, this model isolates business applications and data in a company-controlled environment on the device — so DLP policy applies consistently to work activity no matter where that device happens to be, while personal activity on the same machine stays outside company visibility entirely.
What This Looks Like in Practice
One global immigration law firm ran into exactly this problem: lawyers and contractors were working from personal laptops with no reliable way to enforce security or protect sensitive client data, in a practice where a single compromised device could put firm-wide information at risk. Rather than issuing laptops or forcing contractors into a VDI environment, the firm adopted Venn’s Blue Border™ to create a company-controlled enclave on each contractor’s own device. Every work application ran inside that enclave under consistent DLP and compliance controls, while personal activity on the same laptop remained completely untouched and invisible to the firm.
A similar pattern played out at a global aircraft manufacturer securing more than 7,000 remote employees, contractors, and suppliers. Rather than shipping laptops or routing everyone through VDI, the organization used Blue Border to keep work data inside a secure, isolated environment with nothing stored locally outside it — closing off exactly the kind of personal-device exposure the survey data highlights, without taking over devices the company didn’t own.
Frequently Asked Questions
Can DLP Tools Detect Shadow IT on Personal Devices?
Generally, no — not reliably. Traditional DLP tools depend on either network traffic passing through a monitored gateway or an agent installed on a managed endpoint. A personal device that never enrolls in company management and never routes traffic through a corporate network produces neither signal, which means the behaviors described above — personal email, unsecured networks, local file storage — typically happen completely outside what DLP tools can see or log.
Does Blocking Personal Email and Cloud Storage Actually Stop Data Loss?
Blocking specific channels can reduce use of that one channel, but it rarely reduces the underlying behavior. Employees who are blocked from a familiar tool tend to find another way to accomplish the same task, often through a channel with even less visibility than the one that was blocked. Addressing the root cause — giving employees a secure, convenient way to do the work in the first place — tends to be more effective than restricting individual apps one at a time.
What’s the Difference Between Endpoint DLP and Device-Level Isolation?
Traditional endpoint DLP monitors an entire managed device for policy violations, which requires enrolling that device and often extends visibility into personal use as well. Device-level isolation takes a narrower approach: it creates a separate, company-controlled environment on the device where work applications and data live, and applies DLP policy only inside that environment. Personal activity on the rest of the device stays outside company visibility. For BYOD and contractor populations in particular, this narrower boundary tends to see far higher adoption and far less resistance than full device enrollment.
Key Takeaways
The gap between shadow IT and DLP isn’t a failure of policy or training — it’s a structural mismatch between how DLP tools were designed to work and how work actually happens today. Nearly a third of employees are moving files through personal email, and a fifth are working from unsecured networks or storing files on personal devices, largely because the approved alternative wasn’t convenient enough to compete. Closing that gap doesn’t require more control over the device. It requires shifting the security boundary to the work itself.
If your organization is trying to understand how much of this is happening inside your own environment — and what a lighter-touch, more effective control model could look like — Venn’s approach to endpoint DLP is worth a closer look.