It only takes one employee to create a monumental security nightmare. And that person may already be wreaking havoc at your organization.
A quarterly analysis by Skyhigh Networks, a cloud visibility and enablement company, found one user who uploaded gigabytes of data to high-risk cloud services — opening the company up to malware or a massive leak of confidential information.
This wasn’t the only security problem uncovered in the Cloud Adoption and Risk Report. Created by Skyhigh and Cloud Security Alliance, it looked at usage and risk metrics for 13 million enterprise employees from 350 organizations.
Here's the disconnect: Only 17 percent of IT professionals think their company has faced an insider threat, but data shows 85 percent of companies have anomalous use patterns that indicate the probability of such a threat.
“The frequency of insider threat incidents is five times greater than IT managers believe,” Skyhigh noted in the report. “This should be a wake up call that organizations need greater visibility into the movement of data to and from the cloud and employ “trust and verify” strategies to comprehensively protect corporate data.”
The report uncovered a worrisome lack of enforcement when it comes to IT policies, said Rajiv Gupta, Skyhigh CEO. “Averaged across several services, the intended block rate was six times the effective block rate. For example, 50 percent of companies believe they are blocking Apple iCloud, but usage data reveals the service is only blocked by 9 percent of companies.”
Not as surprising was the fact that companies were using a large number of different cloud services: 831, on average, he said. “This number continues its upward spiral and employees embrace Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to get their jobs done, with or without IT’s involvement,” said Gupta. “The consumerization of IT, cloud and mobility are all real and lasting trends.”
However, while companies may use many cloud services, the bulk of information — some 80 percent -- goes to just 1 percent of them — 11 big name cloud services, such as Box, YouTube and Facebook, according to Skyhigh.
“From a security and compliance standpoint, however, enterprises still need to focus on the long tail because services housing the remaining 20 percent of data account for 81.3 percent of anomalous activity indicative of malware, compromised account, and insider threat,” Skyhigh reported.
What the Future Holds
While much of the information in the report focused on potential problems, there was good news, too.
“While many cloud services lack crucial security controls such as strong password policies and customer-managed encryption keys, we see a silver lining,” said Gupta. “The number of available cloud services rated Enterprise-Ready by Skyhigh’s CloudTrust Program increased from 343 last quarter to 429 this quarter. We expect the number of enterprise-ready services to increase as more and more cloud services are targeting enterprises (versus consumers) and investing in security capabilities in order to generate revenue.”
In the future, he said he expects companies to begin moving from a “guard” model to a “guide” model when it comes to cloud security. Rather than focusing on blocking cloud services, IT will shift to guiding employees on how to avoid high-risk cloud services and use low-risk services instead, “creating a win-win for all parties,” said Gupta.