The cyber attack against Sony Pictures revealed a treasure trove of titillating sensitive corporate data: emails that revealed the true feelings of certain producers for certain movie stars, sensitive compensation data for employees up and down the company's food chain, and scripts of future movies.
The attack has been declared the work of a mysterious group that calls itself the Guardians of Peace — a group US intelligence officials have concluded are involved with the North Korean government.
But imagine how foolish – and how liable – the IT security shop at Sony Pictures would look if this information leaked to the public through its own sloppy policies and willingness to look the other way as employees took short cuts to make their work processes easier. That is, imagine the headlines if this data had been snatched from an unprotected or minimally protected collaboration app that resided in the cloud.
For that's a major vulnerability at many companies, concludes SailPoint's Annual Market Pulse Survey.
The Unintentional Inside Job
Specifically, it found that one in five employees has uploaded proprietary corporate data to a cloud application, such as Dropbox or Google Docs, with the specific intent of sharing it outside of the company. Sometimes it's done with the intent to commit fraud, Kevin Cunningham, president and founder of SailPoint tells CMSWire.com. But often it's done just to make a workday go easier.
"It is a different kind of insider threat – the unintentional inside job," he said. "Employees do it to increase collaboration among work teams or with partners or clients. These groups are not necessarily interested in causing harm to the company by releasing the corporate data. The threat comes from the fact that this sensitive corporate data is totally unprotected when it passes through these third party apps."
The fact that 20 percent of employees admitted to this behavior was an eye-opener, he continued, as the true figure is likely higher. "These were just the employees who admitted to it, who probably didn’t realize the risk they put their companies in." Other employees might realize the potential dangers but assume "it won't happen to them."
One reason employees might be unaware of the dangers is that corporate IT is not vetting the use of these third-party apps, Cunningham said. "A lot of times they are implemented at the departmental level."
Another sign that companies are not monitoring the employees use of the cloud: the survey found 60 percent of employees that leave a firm still have access privileges to the apps because no one thought to end them.
The solution is clear, Cunningham said: companies must ensure that their security policies cover all computing modes including and especially such third-party services.
As far as he knows there hasn’t been a major leak of corporate data in this manner – that has been made public at least – but with 20 percent of employees admitting to the behavior, it is likely only a matter of time.
Separately, Netwrix predicts cloud security will play a larger role among companies and the information technology community next year as more and more data is moved to the cloud. Specifically it predicts that cloud security technologies in 2015 will focus on improved data encryption and the ability to view audit trails for configuration management among other developments. It also foresees the development of security brokers for cloud access, which allow for user access control as a security enforcement point between a user and cloud service provider.
Bigger Cloud Security Budgets
Another telling stat comes from IBM's recently-released third annual Chief Information Security Officer survey, which reports that close to 90 percent of respondents have adopted cloud or are currently planning cloud initiatives. Of this group, 75 percent expect their cloud security budget to increase or increase dramatically over the next three to five years.
In general nearly half, or 50 percent, of the respondents agree that deploying new security technology is the top focus area for their organization. The three top areas identified in the survey in need of "dramatic transformation"? Data leakage prevention, mobile device security – and cloud security.