The hidden threat of ‘shadow AV’

Don Gibson at Kinly explains why personal devices are the new security perimeter

 

As the hybrid workplace matures, organisations are beginning to confront a complex reality: the very technologies that empowered rapid remote working have also created one of the most significant and invisible security threats facing enterprises today. The unchecked use of personal devices – what we at Kinly call ‘shadow AV’ – is introducing gaping vulnerabilities into corporate ecosystems. These devices, ranging from webcams and tablets to headsets and smart displays, are slipping past security teams and becoming digital blind spots.

 

This growing concern is now prompting decisive action. Research from our Trusted Connections 2025 report reveals that more than half of enterprises (52%) are now considering banning personal devices in the workplace altogether. This is not a knee-jerk reaction; it’s a reflection of just how pervasive and risky the problem has become. Nearly half of the organisations we surveyed are already grappling with the consequences of shadow AV. In many cases, these personal devices are being used without approval, oversight, or even the basic security protections that would be considered standard for company-issued tech.

 

 

Hybrid work has complicated the security perimeter

The acceleration of hybrid work has only compounded this challenge. When offices were the centre of work, IT teams could manage devices within a well-defined perimeter. Now, those boarders have dissolved. Devices travel between homes, public spaces, and offices, crossing networks and physical boundaries without ever being checked. According to our report, 57% of enterprises say it’s harder than ever to secure devices used outside the office, and 46% believe personal tech is actively undermining their remote work strategies. This breakdown in oversight isn’t just a technical problem; it’s already exposing businesses to major risks.

 

 

Personal devices: the security gap you can’t ignore

One of the more troubling findings from our research is the security disparity between corporate and personal environments. While 77% of enterprises say their in-office AV equipment is protected by strong encryption, that figure drops to just 66% for remote or personal setups. That difference is a flashing red warning light for any business relying on hybrid models. It means that a significant section of your collaboration infrastructure – video conferencing, digital whiteboards, voice systems – could be running with inadequate protection simply because the devices weren’t issued or configured by the business.

 

The consequences go well beyond inconvenience. More than a quarter (27%) of businesses admit that employee-owned devices are holding them back from achieving broader goals. Whether it’s slowing down secure collaboration, limiting deployment of new tools, or exposing the organisation to serious cyber threats, personal tech is no longer just a user preference issue – it’s a business risk. In fact, many of these risks are now intersecting with growing compliance demands. From ransomware and phishing attacks to violations of GDPR and NIS2 regulations, unmanaged devices are opening the door to consequences that can impact revenue, reputation, and operational continuity.

 

Despite these mounting risks, many organisations continue to overlook AV as a core part of their security posture. This is a mistake. AV tools are now the connective tissue of hybrid work. They enable daily communication, support knowledge sharing, and often act as a frontline interface with clients, partners, and prospects. If these systems aren’t secure, then your enterprise isn’t secure. And yet, only 46% of professionals believe their business recognises this fact, even though 79% acknowledge that AV plays a vital role in protecting the digital workplace.

 

 

The case for greater control, not just bans

This brings us to the inevitable question: should businesses ban personal devices altogether? For some, especially in heavily regulated industries, that may well be the most sensible path. But for most, the answer lies in striking a more balanced, risk-based approach. It’s not enough to allow personal devices and simply hope employees act responsibly. Nor is it fair to clamp down with rigid restrictions that stifle productivity. The real solution lies in control, visibility, and user accountability.

 

We need to move away from legacy assumptions about BYOD. What began as a movement for flexibility and employee empowerment is now a source of exposure unless it is handled properly. Businesses must start by recognising that every device – corporate or personal – connected to the network becomes part of the security perimeter. If a personal webcam is used on a confidential client call, it should be subject to the same encryption, access management, and monitoring protocols as any in-office hardware.

 

Security teams need to work closely with IT and HR to implement policies that define what is acceptable and what isn’t when it comes to personal device use. This includes ensuring all endpoints are visible to network administrators, mandating secure collaboration tools, and embedding security responsibilities into the onboarding process for both employees and devices. Education plays a crucial role, too. Employees must understand the risks and their role in mitigating them – whether that means recognising phishing attempts, avoiding unvetted software, or knowing how to report an issue swiftly.

 

 

A new mindset for a new security landscape

Ultimately, the goal is not to control employees, but to protect the business. In today’s landscape, unsecured personal devices are the digital equivalent of leaving your front door wide open and hoping no one walks in. They’re unmanaged, unmonitored, and wide open to exploitation by increasingly sophisticated threat actors. And as data regulations tighten across Europe and beyond, the financial and reputational risks of these blind spots will only grow.

 

We are now at a turning point. If 2024 was the year of hybrid enablement, then 2025 must be the year of security reinforcement. Organisations that take decisive action – whether that means banning devices, controlling them, or securing them – will be better equipped to protect their people, their data, and their reputation. The perimeter has shifted. The threats have evolved. Now it’s time our strategies caught up.

 

Because in this new hybrid world, if you’re not securing every device, you’ve already lost control.

 

---

 

Don Gibson is Chief Information Security Officer at Kinly

 

Main image courtesy of iStockPhoto.com and Jacob Wackerhausen