I’m afraid that this topic might become more and more of a concern with the increase of malware and ransomware. It’s one of the tings that keeps me up at night to be quite honest with you.
We have some instances of shadow technology at my church and these things are hard ti head off at the pass. Our children’s ministry needed a way to allow volunteers to create, edit, and share the files for the curriculum. They chose, with no input from the IT department, to use Box for the file sharing and collaboration. They can manage the product and allocate rights as you would expect from an enterprise solution, but they don’t have any rules that govern what volunteers can and can not do with the service. They also don’t groom the user pool, so there are volunteers that have access to the files that no-longer volunteer, or for that matter even attend. My solution there is to come up with a policy to regulate the use of the service, but the account is out of my control. I am not sure how I monitor or enforce my policy against a product I can’t monitor.
You share my concerns about the ramifications of having synch tools on personal computers. If a home asset, most likely not protected by a virus solution, gets the plague, that plague could propagate to your internal network. Hopefully the virus solution on your work assets would catch the infection before it could stick to that device, but you never know.
Something we have been trying to noodle over is the impact of iCloud synchronization. Apple’s new OS will take files on your computer and push them to the cloud based on some algorithm of utilization. I’m sure that you can turn that feature off, but it seems like a big security hole. I want my users to be able to use iCloud for things like iMessage and such, but I don’t want Apple making decisions about whether or not to move my benevolence request forms to the cloud.
The short of this long answer is this. I don’t have an answer, but there needs to be one. I think that you should balance the need of the users with the implications of security and keep it locked down as tightly as possible without being draconian. (Easy right!)
Another important thing to do is to educate your staff on security. A lot of folks have no idea how their actions can compromise your network. Giving them some broad view pointers can go a long way to helping them help you keep safe.