Chances are high that your business is home to shadow IT. The practice of using unsanctioned software on company devices isn’t done out of malice. It’s quite the opposite — users are turning to unapproved applications like chat apps, task managers, or collaboration tools in an effort to be more productive. While the intentions of this practice may not be malicious, shadow IT exposes companies and their customers to malware and hackers via vulnerabilities in the software. In fact, it has been reported that a third of successful attacks against enterprises will involve shadow IT resources by 2020.

Making sure that employees understand the risks posed by shadow IT starts at the top. Employees often believe data security is IT’s problem, and that if IT does its “job” and filters out the threats, they have nothing to worry about. Leaders therefore need to make sure their employees understand exactly how an unknown or unapproved app can quickly lead to a massive data breach that extends far beyond their devices. But, as it turns out, leadership may be great at talking about the dangers of shadow IT — and ignoring their own advice. According to a recent industry study, 75 percent of CEOs and more than half of business decisionmakers acknowledge that they use applications and programs that aren’t approved by their IT department. This is despite 91 percent of CEOs acknowledging that their behaviors could be considered a security risk to their organization.

It is not enough for employees to reject shadow IT if members of the C-Suite aren’t heeding their own advice. To lower the risks presented by shadow IT, companies should develop a related policy that applies to everyone, from top to bottom. The basic principles of such a plan are simple:

Provide employees with effective easy-to-use tools and capabilities — Employees use shadow IT because unsanctioned apps help them achieve a goal. Provide your employees with quality tools and they won’t need to look elsewhere. At many organizations, different teams used different chat tools, including Chatter, HipChat and Google Chat. By switching your entire company to one channel, you can unify all teams onto a single chat tool, improving inter-departmental communication and collaboration — and remove the need for any team to go rogue and install unapproved chat apps.

Deliver a straightforward, meaningful message on mutual expectations and accountability — Your communication to employees, including the leadership team, has to a) deliver a crisp, meaningful message; b) demonstrate that security is a core responsibility bestowed by executives; c) close the loop between what you say and what employees understand; and d) hold employees accountable.

Demonstrate that security is a core responsibility for everyone — Preventing cyberthreats from taking hold in your company is like a war. End users are on the front lines of the battle — their endpoints are the primary attack vector, and they need to embrace the strategies to protect them that are set by the “generals,” the IT and InfoSec teams. The C-level executives are in the war room, setting priorities and approving the strategies proposed by IT and InfoSec. From the top on down, everyone involved needs to understand that all the fancy security tools in the world are worthless if they don’t follow the rules. They need to understand that even a small error could lead to immense costs, lost productivity, brand damage, and more. Most importantly, no employee — even trusted administrators and executives — should be exempt from the consequences when rules are broken.

Structure the organization for success — To prevent shadow IT, security must have a view of the entire company — no exceptions for C-level or other privileged users. Creating any security program, whether it is focused on shadow IT or another pain point, requires accurate situational awareness. Organizations must first have a holistic view of data usage behaviors and security risks before they can decide where to add doors and locks.

Align CapEx and OpEx where there are synergies and predictable results — Providing employees new tools so they don’t turn to shadow IT requires careful CapEx and OpEx planning. This doesn’t happen overnight, and shadow IT apps don’t show up overnight, either. Plan your technology purchases wisely and efficiently, and you’ll prevent shadow IT from showing up in the first place.