Security vendor Blue Coat Systems, who have announced that they are to be acquired by Symantec, have conducted a survey with YouGov looking at the risk to corporate data from cloud usage. The focus of the research was on how employees were using cloud storage, collaboration, social media and email apps. What the survey revealed was that many employees are seriously unaware of the risks they are exposing the business to through due to the leaking and misuse of sensitive data.
According to Dr. Hugh Thompson, chief technology officer and SVP, Blue Coat Systems, Inc: “This research highlights the behavioural traits of employees using cloud applications at work and the risks they expose their employers to through their behaviour. Most significantly, the job areas that manage the most critical data, such as IT, financial and HR, use cloud applications the most.
“This sensitive data is often the jewels that hackers are after and want to exploit most. Shadow data, outside of corporate IT controls, clearly remains a major challenge for organisations and data shared on unsanctioned applications requires a proactive approach to ensure employee access is within the parameters of safe usage.”
Blue Coat see cloud on the rise within Europe
Europe is adopting cloud on a big scale. Uptake is high in France (53%), UK (49%) and Germany (47%) which might seem like good news. The problem is that many of the apps are not sanctioned by IT which means that they have not been security checked. As shown repeatedly by Skyhigh Networks quarterly reports, only a very small percentage of cloud-based apps can be termed enterprise secure.
This means that there is a lot of data being moved outside of companies to locations that are insecure. This raises the risk of a data breach and should cause serious concern for IT departments. The most used type of app is collaboration with 23% of respondents using it. Data is often uploaded into the apps in order to share with others involved in the project yet few users actually check to see if everyone is cleared to access the data.
There was also an admittance by respondents that they often used cloud apps for unsanctioned use. Shockingly they then admitted that this was to steal data before leaving an employer or to store data to protect themselves. Whistleblowers also like the cloud as it allows them to move data outside the organisation and then make it available to third parties such as regulatory bodies and even the press.
IT and HR lead the use of cloud apps
Unsurprisingly IT (76%) make the most use of cloud apps both for work and personal use. Given their access to sensitive data it makes them a serious security risk. However, ask IT staff at conferences about who is the biggest risk and they will often point at sales teams.
The second and third biggest users of cloud apps are HR (69%) and Finance (59%). This is surprising. While ERP vendors are busy adding in HR and Finance modules take-up is still not ubiquitous. What it suggests is that in Europe, users are seeing the benefits offered by companies such as Workday, NetSuite, Financial Force and others.
Leaking customer data risks GDPR fines
The survey highlighted customer and marketing data as being among the most at risk. Both of these data types are likely to contain personal data which should make it among the most highly protected. What is unclear from the survey as we were unable to gain access to the raw data, is whether the cloud apps into which this data is shared are the big CRM and ERP suites or if the data is simply being pushed to storage apps and sent out through unprotected emails.
A need to change the culture of security inside organisations
Interestingly the YouGov and Blue Coat survey was released a week before Fasoo and the Ponemon Institute published their report on employee risk. In that report the view was that employees were not the only ones that needed to wake up. Much of the problem seems to be systemic throughout organisations with a lack of tooling, education and audits.
This week also sees the Security Culture conference taking place in Oslo, Norway. The focus of the conference is on how to establish a culture of security inside organisations. One of the challenges it will be addressing is how to get HR involved in the soft skills around user perception and behaviour.
Users are often fooled into believing that they are safe because the main focus of IT security is around tooling not behaviour. What the YouGov and Blue Coat Systems survey show is that we need to educate users now before the problem gets worse. This is not about imposing draconian penalties for mistakes but using those mistakes to improve the way users handle data.
This was echoed by Carolyn Lees, Global IT Director at Permira when she commented “Over and above those basics it is staff awareness and looking internally at the things that can help you keep the employees educated to the threats that are more likely to happen through social engineering attacks than any other way.” during a recent CIO interview with Enterprise Times.
With the General Data Protection Regulation (GDPR) countdown well underway there is a small windows for companies to get this right. If they don’t then they risk fines which could threaten the very survival of their businesses. It will also be interesting to see if, when that happens, insurance companies are willing to step in and pay out or whether they will leave customers to go under.