Compliance rarely goes wrong because organizations don’t have policies. It goes wrong because policies become too complicated in practice. Once employees have to deal with cumbersome processes, extra steps, loose portals and unclear exceptions, they look for a faster route. And that’s exactly where the problem begins. What seems secure and compliant on paper quickly turns into shadow IT, workarounds and invisible risks in daily operations.
The British NCSC explicitly calls shadow IT a risk, because unknown assets are not included in asset management or policies and can therefore lead to data exfiltration or malware. The Dutch NCSC describes the same mechanism: employees use hardware or software without the organization’s knowledge or permission.
Compliance breaks down on complexity
Shadow IT arises where policy clashes with practice
Shadow IT is not usually a rebellion against IT or compliance. It is often a symptom of friction. People want to get their work done, help customers, share documents or meet deadlines. If the official route is too slow, too technical or too inconvenient, they opt for what feels easiest at the time. That may be a private cloud, an unmanaged link, a consumer app or another tool that is outside of policy. Precisely because those tools operate out of sight, the organization loses control of access, logging, retention and governance.
The human factor remains the biggest weakness
That the human factor weighs heavily is not an assumption but a recurring pattern in breach research. In the 2025 Verizon Data Breach Investigations Report, the human component in breaches hovered around 60 percent. That doesn’t mean people are the problem, but it does mean that processes that rely too much on perfect human actions remain vulnerable. The more complexity you add, the more likely someone will skip a step, choose the wrong tool or work outside the process.
Every workaround is a potential data breach
Small mistakes become big when processes are fragile
The practical examples are painfully concrete. The Police Service of Northern Ireland received a fine of £750,000. There, hidden data in a spreadsheet led to the disclosure of personal data of 9,483 employees. The ICO was remarkably clear about this: “simple-to-implement procedures” could have prevented this serious incident. That is exactly the point of this article. It’s not just bad intentions that cause data breaches; it’s fragile, unnecessarily complex processes that do.
What these examples really show
The lesson is that compliance depends not only on rules, but on process design. If an employee has to share a file under time pressure, the safe route should be the easiest route. Otherwise, the workaround almost always wins. Moreover, the ICO emphasizes that the first 72 hours after a data breach is discovered are crucial: start a log immediately, gather facts, try to contain the incident and report it where necessary within 72 hours. Organizations that only have to figure out exactly what was shared after an incident are already behind the times.
Less friction, more control
Secure file sharing should be easier than the workaround
Therein lies precisely the relevance of Msafe. Msafe Secure File Transfer is the way to exchange sensitive files. With provable logging and policies around permissions, expiry and 2FA.
That simplicity is not an afterthought, but a compliance check. The Msafe Outlook add-in works plug-and-play. It requires no additional infrastructure or complex integrations and that implementation takes only minutes. The user-friendly interface reduces the need for training and accelerates adoption. This is especially important in organizations where compliance breaks down due to cumbersomeness. As secure file sharing is simple to implement and easy to use, the need to resort to shadow IT decreases.
Monitor and intervene before it escalates
Simplicity alone is not enough. You also need to be able to see when policies are violated. With the help of comprehensive audit trails and exportable reports, you can quickly see whether policies that have been set are being met. That means organizations can not only share more securely, but also identify more quickly when a file is being shared incorrectly, when access needs to be revoked or when further investigation is needed.
The real promise behind “Complexity Kills Compliance”
Compliance becomes stronger when you remove complexity from behaviors that recur daily. Secure file sharing is a perfect example. Employees simply share documents with customers, suppliers, auditors and partners. So the question is not whether that happens, but whether it happens through a channel that is simple enough to be used and strong enough to provide evidence, control and intervention capabilities. Make it easy then employees make fewer wrong decisions.
