Only 8 percent of companies know the scope of shadow IT at their organizations, according to a new survey by the Cloud Security Alliance.
"The low awareness of shadow IT was not a surprise," said Jim Reavis, CEO of the Cloud Security Alliance. "Anecdotally, that's what we've heard."
In addition, when the CSA does egress monitoring, it usually finds the companies underestimate their use of cloud services by a factor of eight.
The reason for the gap? A lack of knowledge about cloud in organizations on the part of both IT staff and more senior executives.
"We've all been spending years getting ready for cloud, but there still needs to be some education that needs to happen," he said.
One problem is that of basic language. The word "cloud" means different things to different people in a company.
"If I had a dollar for every IT person who said 'we don't use cloud but we love Salesforce'," Reavis said.
For IT departments, the word "cloud" often refers to a specific type of server virtualization technology, or the use of infrastructure-as-a-service platforms such as Amazon AWS.
For everyone else, software-as-a-service is also "cloud," including such commonly used tools as Dropbox, Google Docs, and LinkedIn.
Another reason for the gap is the procurement issue. Company employees can easily go out and sign up for cloud services without any input from IT at all.
"The only way you can get a handle on that is monitoring outbound connections -- which don't tend to be monitored as closely as what's happening in-bound," said Reavis. "And if someone is using their own client device, like their own phone, you can't see it that way either. You have to go talk to people, and monitor expense reports."
But bypassing the IT department, while saving time, can also have negative consequences.
"We expect IT to have a governance role, and to make sure that users are using technology appropriately to solve business problems," said Reavis. "And also that they're complying with all the regulations and that customer information is controlled and protected."
When IT doesn't understand their role, that is when problems arise.
"You have individuals in the organizations being their own IT administrator, their own CIO," he said. "And that can be very problematic."
But companies are coming to understand the importance of security and governance when it comes to cloud, and 72 percent of the IT professionals surveyed said they want to know how widely cloud apps are used by their employees.
The survey also showed an increase of concern about senior executives and C-level managers for data security.
According to the survey, executives are now involved in decisions concerning the security of data in the cloud in 61 percent of companies.
"That's probably the result of things like the Target situation, Reavis said. "We're very glad that this is something executives around the world are paying attention to -- we think it will help close the gap on some of the problems we were talking about."
Large companies are further ahead.
Companies with more than 5,000 employees are more likely to have a cloud governance committee, at 35 percent versus 12 percent, have a policy on acceptable cloud usage, at 61 versus 45 percent, and have a security awareness training program, at 26 versus 20 percent, compared to companies with fewer than 5,000 employees.
The Cloud Adoption, Practices and Priorities Survey Report includes responses from more than 200 IT and security professionals around the world, and was sponsored by Skyhigh Networks.