Re: Subhead - "Do we block unsanctioned ones?"
A very large part of the problem is that the NHS is run by people who are scared of Doctors/Consultants and with good reason since they have all the power. If you try and do something as sensible as restricting access to Dropbox, some "innovator" will give a reason to "need" it and shout until they get it no matter what the actual cost.
IT and other operational/admin areas of the NHS end up taking the brunt of cuts and so NHS organisations end up wasting vast amounts of money getting middle/senior management grades doing admin work whilst "innovation teams" come up with bizarre and expensive "new ways of working" that cannot be implemented because someone cut the budgets in the operational areas.
Everything that the NHS (and virtually all other organisations) does it underpinned and made more efficient by IT (even after all the cockups!) and yet it still isn't generally recognised as a front-line, necessary service, only as a financial drag. Drugs and nurses are "required" but no mention of using information management to target staffing, reduce patient no-shows, etc. etc.
The vendor mentioned here is Netskope and they have an excellent product - one that a certain very large NHS organisation's IT department would love to implement to help manage all sorts of Cyber and governance risks and to also optimise network use and save money in other areas. But it cannot be done because there is no money and no people to do it - and no willingness by senior leaders to recognise the problems within their organisation beyond the political headlines.