Identifying and educating employees
Around 28.1% of employees, that’s more than a quarter, have uploaded a file containing sensitive data to the cloud. This is not about small numbers of rogue employees but about employees who either don’t care or, more realistically, just don’t think about where the data is going.
Skyhigh Networks identified one user who had uploaded 284 unencrypted documents containing credit card numbers to a file sharing services. Another uploaded 46 documents labelled private and 60 labelled restricted based on the company document classification system. A third employee uploaded 88 documents containing social security numbers. All of these were in breach of corporate policies so why were the files allowed to be uploaded?
It a good question and one the is hard to get an answer to from anyone. The data content was detected by Skyhigh Networks so it’s not a huge jump to say IT should have been able to detect it given the right tools. There is certainly a case that the companies may not have had the right tools but the cost of a lawsuit far outweighs the cost of tools.
One solution is for the CISO and IT Director to deliver a report to the board outlining what they need and the risks of not having it. This way, there would be a record that the risk has been identified and the board would have to decide to act or not to act. Of course, many people would see such a report as potentially career ending. However, the impact of a breach and data loss is just as devastating to a career and ultimately more damaging in the long term.
As we now know in the Target breach, the board knew there were issues but decided to spend money elsewhere. It has already cost board members their jobs and there is still the potential for a court case over the failure to act. It is not just a risk of being sued by regulators that should worry the board. Shareholders could bring legal actions citing negligence because the action of an employee or inaction of the board caused the share price to be damaged.
The risk of sharing and collaboration
Sharing and collaboration have been buzzwords for a while now. The first serious push came about as a way to reduce travel, cut costs and improve productivity. In general employees are happy with it as they waste less time getting to and from meetings and locations.
The downside is the amount of data. Looking at the top 20 enterprise and consumer cloud services in this report, it is clear that most of the file sharing sites are in the consumer not the enterprise cloud service group. Just one of that top 20 consumer cloud services meets the CloudTrust requirements which calls into question the security of those services.
Skyhigh Networks report that the average company uploads 5.6TB of data to file sharing servers every month. This is spread across up to 849 external domains via the different services. A large percentage of cloud services charge for data being uploaded. Not only is data being uploaded unnecessarily but it is also costing money. If the idea was to move from CAPEX to OPEX with cloud, those savings are being eroded by poor usage and excess data movement.
Interestingly, 62.8% of the data is never shared. It might be personal backups or it might be data copied in order to work outside of the office. The 37.2% that is shared, however, is a rise of 6.2% from this time last year. That’s a significant rise however you look at it.
The majority of the shared data is with users inside the same organisation. This does not mean that there is no risk. Those users may have no access to the data under normal conditions for good reason and using cloud services to bypass company security is always a risk. Of the remainder, some of this 5.4% is shared via a link. This has become popular with marketing and sales teams as it saves them emailing large amounts of data to customers and partners.
The piece that is most worrying is that 2.7% is publically accessible and indexed by Google. While this figure is small, it should have companies very nervous. Given the amount of sensitive documents being uploaded including those with PII and financial data, the risk of any of that being indexed by Google is a lawsuit waiting to happen.
Developers sharing code and code snippets is another challenge but here the picture is much murkier than it looks. The increase in companies using open source software means that they are supposed to share the code they create back to the project for the benefit of the rest of the community. The numbers in this report do not separate out how much of the code shared falls into this category.
In 2013 an auditor at supermarket chain Morrisons posted the personal data of 100,000 employees to a number of file sharing sites. The data became public causing problems for staff. Should that data has been detected by the company through the use of DLP? The employees think so and are suing the company for not protecting their data more.
The challenge here is that the auditor had legal access to the data so this wasn’t hacked data just a simple mistake. DLP might have detected the data if it had been set up correctly. With all the focus on customers of late, it is just as easy for employees to share other employees details online without thinking about it. Will Morrisons lose the case? We will have to wait and see.
Conclusion
Unless we do more to deal with how files are saved and where they are saved we are going to continue to make it easy to steal data. Users must take their own responsibility for part of the problem by the way they use obvious names for files. It cannot all be down to IT and someone else to sort it out.
At the same time, better tooling would help reduce the problem and at least make hackers work a little in order to find the data they are hoping to find.
