You hear a lot about Shadow IT these days. And we'll probably continue to hear more, according to Cameron Coles, senior product marketing manager for Skyhigh Networks, a cloud security company.

Shadow IT happens when departments or individual employees use technologies that aren’t sanctioned by IT — something that has been increasingly easy to do since cloud-based services arrived.

As CMSWire writer Steven Pogrebivsky noted last year, employees who use a lot of consumer-based apps tend to expect the same ease of use in the workplace. "Personal and work have collided in such a big way that employees often expect that one service will support both needs. In a perfect world that would be fine. But this isn’t a perfect world: information gets leaked, gets lost, gets stolen," he noted.  

While senior management may be away of the risks of cloud-based services, employees are often less cautious and unwittingly create a hefty problem for many organizations, Coles said.

Way Worse Than Suspected

A new Cloud Security Alliance (CSA) survey, sponsored by Skyhigh Networks, concludes the Shadow IT problem is some 10 times worse than most IT departments suspect. As the Cloud Adoption, Practices and Priorities Survey Report points out, about 72 percent of those surveyed said they don’t know how big a problem Shadow IT is in their organization. But the good news is that they at least want to find out.

A recent Netskope Cloud Report sheds further light on the problem. It found 90 percent of the cloud apps in use at businesses, aren’t enterprise grade. This research further found that the average organization has more than 600 cloud apps in use—which IT may or may not know about.

The CSA survey polled more than 200 IT and security professionals to not only find out their views on Shadow IT, but to also discover how the view the cloud, what barriers they are running into when trying to adopt it and what they see as their top security concerns.

It also looked at how companies are balancing business user access to Software-as-a-Service (SaaS) apps while enforcing security policies and how well cloud service access policies within companies match up to actual block rates.

What’s clear from the results is that despite some trepidation, organizations are moving toward the cloud. Some 74 percent of respondents said they are in the process of adopting cloud services. However, 34 percent said they put the brakes on when it came to cloud adoption, primarily because they don’t have the experience they need to do so.

“One of the most surprising findings is that companies that are best positioned to adopt the cloud securely – because they have more mature governance programs – somewhat paradoxically are slower to adopt the cloud,” said Coles. “Companies with more than 5,000 employees are more likely to have a cloud governance committee (34.8 percent versus 12.0 percent), have a policy on acceptable cloud usage (60.9 percent versus 44.8 percent), and have a security awareness training program (26.1 percent versus 20.3 percent) compared to companies with fewer than 5,000 employees.” But when it comes to dollars and cents they’re spending a much smaller portion of their IT budget on cloud services.

Cloud Access, Security Can Co-Exist

Despite the lingering fears over cloud security, however, it’s safe to say that the cloud is here to stay, said Coles. “The cost savings of cloud services and the fact that most innovative new software products are delivered via the cloud make it strategically important for every company to overcome obstacles to adopting cloud apps,” he said.

Even if your organization isn't quite ready to give the green light to cloud-based services, users looking for the tools they need to solve everyday problems might not agree.

“Shadow IT is the result of enterprise IT not being able to deliver business users with the services and apps they need in order to achieve a maximum degree of productivity,” said Torsten Volk, VP of product management – cloud at ASG Software Solutions. “If they cannot get what they need from the corporate IT department, business users simply swipe their own credit cards and obtain the needed IT resources elsewhere.”

That’s a big problem for you, because all signs point to cyber attacks increasing in volume and severity in 2015, said Coles. “We expect security to become an even higher profile concern for companies, including at the executive-level and board-level,” he said. “In the wake of Target and Sony, expect to see more boards create cyber security committees with more oversight of the company’s security activities.”

And the risks are real. “Fragmented data living outside the company network not only hinders business management, but is subject to staggering compliance and security risks,” said Orlando Scott-Cowley, director of technology marketing at Mimecast. “ For example, running searches for files that are needed for e-discovery can become a challenge, especially if end users won’t cooperate.”

Marrying Efficiency, Security

To mitigate these risks, IT has to be able to be able to give users resources that are as easy to use as, for example, Dropbox,” but ones that can protect security. “To do this, organizations must be proactive in their approach and need to address the underlying reasons employees turn to third-party cloud services,” said Scott-Cowley. “For example, users often resort to a consumer cloud service for large file-sharing because their corporate email system limits attachment sizes, making it difficult to send data to their colleagues.” You can avoid this problem by giving them the functionality they need. “One way to do this is by offering employees a simple, secure way to send, store and share files within the company network, without leaving their email platform,” said Scott-Cowley.

Volk agrees. “Today, IT must assume the role of a service broker, providing business staff with the required services in a secure, compliant and cost effective manner. IT needs to embrace this new concept of policy driven provisioning of services, independently of whether they are hosted on a mainframe, private or public cloud environment,” said Volk. “The better IT gets at turning from an “owner” into a “service broker”, the faster shadow IT can be eradicated.”

But the first step in solving a potential Shadow IT problem is to open your eyes and see if you have one. “Companies need to address the security and regulatory concerns with cloud services by discovering what cloud apps their employees are using, what corporate data is uploaded to them, and what the risk of each of the applications is,” said Coles.

Creativity may lead to solutions that offer the best of both worlds, usability and security. “Dynamic hybrid workspaces are an interesting solution because they will allow users to build their own unique, custom work experience by provisioning their own apps, services, and content from an enterprise service store,” said Volk. “This will provide a framework with which IT can monitor and approve enterprise app usage, ensure security, and even manage software licenses for business savings.”