Skip to Content

Financial firms gravely underestimate cloud usage, report says

121330301121330301

It was on a visit with a chief information security officer at a large bank that Rajiv Gupta, co-founder and CEO of Skyhigh Networks, a 4-year-old cloud security company based in Campbell, California, witnessed a moment of incredible irony.

Gupta was in the midst of explaining the various risks and benefits associated with certain cloud services when the info-sec chief stopped him. “Wait,” Gupta recalls the security lead saying, “I’m taking notes on Evernote—which is not an approved service within my own organization!”

The chief, in other words, had not yet green-lit an application that he trusted and had come to rely on.

Gupta’s anecdote serves to highlight a growing problem. Even in financial services, where strict regulations and heightened security-consciousness pervades the industry culture, there still seems to be a lack of appreciation for the explosive adoption of—and employee dependence upon—cloud applications. That also happens to be the conclusion of a Skyhigh report published on Thursday.

Skyhigh releases regular risk reports on the state of the cloud usage across the company’s 450 customers, which includes Cisco (CSCO), Aetna (AET), and HP (HPQ). Recently, the firm pulled some finance-focused data for Fortune centered on its 70 financial services customers. The most interesting result? It found that while IT departments across three major industries—finance, government, healthcare—believe their organizations contend with about 60 cloud services on average, in fact they’re dealing with many, many more.

In financial services, the true number reaches to more than 1,000 on average. During the same quarter a year ago, the average number of cloud applications in use was 760, so the field is growing quickly.

“It boggles the mind for someone who hasn’t thought about it,” Gupta says. “This number is 15 or so times more than what the IT departments, of what the average person expects there to be, which is a surprise because you would expect an IT department within an organization to be aware of what is going on—especially in financial services industry.”

“It’s not that these teams are failing in their duties to keep their organizations secure,” says Gupta. “It’s that there is simply a lack of ‘cloud awareness.'” That is, of course, where Skyhigh comes in: its cloud visibility product allows information security teams to track employees’ cloud usage.

David Levin, director of information security at Western Union (WU), tells Fortune he was not surprised by the findings in Skyhigh’s latest report. (His team has been a customer for more than two years.)

Other corporate security leads Fortune spoke to said much the same. What could account for such a big discrepancy—60 versus 1,000—then?

“I think people don’t understand the definition of cloud services,” Levin says. “To me anything that is a service or offering your comp does not provide already is basically considered a cloud service.”

That means anything ranging from file transfer sites to collaboration tools and productivity suites to social media and more. Cloud services can include Microsoft Office 365, Box, Slack, Facebook, Pastebin, and everything in between.

IT teams complete an initial Skyhigh survey before using the company’s product. It’s possible these teams misjudged how broad the field is, or perhaps each had different categorizations for what counts as “cloud.” Nevertheless, the conclusion is the same.

You have to look at things from a risk and a productivity perspective, Levin says. The ultimate goal for any company is to become a technology booster, not a hindrance. Disallowing certain services could impede workflow. Yet giving every possible application a clearance could drastically increase a company’s exposure to possible attack.

Referring back to that chief information security officer Gupta met, Gupta says: “The point is that as a human being, he found the service made him more productive, but as a CISO he had not approved it.”

“If they’re not cognizant of this dichotomy, then they may be blocking services that their employees need,” he says. “You need to figure out what your employees are doing, not to become big brother, but to become an enabler to them.”

Otherwise, the cloud could have a storm a-brewing.

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.