IT departments aren't aware of the extent to which public cloud services are being used within their organisation, potentially putting businesses at risk of data breaches and data protection issues.
That's according to Skyhigh Networks CEO Rajiv Gupta, who was speaking as the cloud security firm launched its Cloud Adoption and Risk Report Q1 2014, which examined use of cloud services in the enterprise based on data from over one million users.
It found that on average, a European organisation has 588 cloud services in use - with the figure rising to 626 in the US - as employees use publicly available services such as Dropbox and Google Drive in an effort to be more efficient. However, in many cases it seems the IT department isn't aware of the extent to which these services are being adopted by staff.
"There's a lack of knowledge within the IT organisation as to how much cloud exposure they're undertaking, even today," Gupta told Computing, going on to explain how one client in the banking sector thought they had 46 cloud services running in the organisation, before Skyhigh Networks demonstrated the true figure was 960.
That put the bank in the upper echelons of public cloud services use - with the highest number being deployed standing at 1,223 - something Gupta argued might be being done for the right reasons, but is potentially risky.
"Those are legitimate cloud services in that they're helping the employee be productive, but they're also of concern to a bank, for example, if an employee accidentally puts out some confidential data into a cloud service which can expose the bank to fines and being on the front of the Financial Times," he said.
He said the extent of so-called "shadow IT" should worry IT departments, because if they do not know what tools are in use, how can they protect the organisation against the risks they might pose? Even more concerning, Gupta argued, was that employees largely aren't aware which tools are suitable for enterprise use.
"Employees are using cloud services without checking with IT as to which are approved, low risk services. So there isn't as good an understanding about which services are low risk and which are high risk," he said, explaining that staff will just use what they've heard of or what appears to get the job done.
"If an objective assessment of these services isn't available, employees will do the convenient thing as opposed to the right thing."
The solution, Gupta explained, would be for the IT department to gain an understanding of which "shadow IT" cloud services are being used by employees, then properly explain which tools are the best for productivity while keeping the organisation safe.
"If the IT department does the work and says 'this is the service we recommend you use', employees tend to follow that. Whereas if you don't tell them what to do, employees will try whatever they want because they want to be productive," he said.
"We need to be aware that cloud is a bigger and bigger part of IT infrastructure and we need to take this out of shadow IT and make it real IT," Gupta continued.
"You need to understand and educate that all services are not made equal, so find the low risk ones, recommend those to employees to make sure they do the right thing, that's the path forward," he said.
The Skyhigh Networks Cloud Adoption and Risk Report assessed data from 1.05 million users in organisations with between 502 and 90,000 employees. It found a total of 2,105 public cloud services were in use across all of the organisations examined.