Until recently, computer security was viewed as though it were a medieval battle scene, like the one in Monty Python and the Holy Grail: The employees barricaded inside, under siege by an unruly army of hackers (or Trojan Rabbit) who are trying to spread viruses to infect and weaken the people inside.

But this analogy couldn’t be further from the reality. Perimeter security fails because none of our workflows exist in a barricaded castle anymore. The internet changed that a long time ago. Our castles are completely permeable, connected and interdependent on the rest of the world. We forget that a large portion of our workflows exist on the World Wide Web, so walls don’t make a big difference. The drawbridge is always down and the guards are all asleep.

When we don’t carefully consider security in all of the actions employees take on the internet, we are hacking ourselves. Hackers and competitors don’t need to code malware, they just keep their eyes open for something interesting. If a former employee downloads your confidential documents onto their phone and shares them with your competitor, you weren’t attacked, you were careless.

Instead of picturing a dark room with a grinning face lit by the glow of computer monitor as your biggest digital security threat, you should just go to the bathroom and look in the mirror. The hardest part of reducing the risks of Shadow IT isn’t educating everyone else to follow the rules, it’s accepting that you should too.