It only takes one employee to create a monumental security nightmare. And that person may already be wreaking havoc at your organization.
A quarterly analysis by Skyhigh Networks, a cloud visibility and enablement company, found one user who uploaded gigabytes of data to high-risk cloud services — opening the company up to malware or a massive leak of confidential information.
This wasn’t the only security problem uncovered in the Cloud Adoption and Risk Report. Created by Skyhigh and Cloud Security Alliance, it looked at usage and risk metrics for 13 million enterprise employees from 350 organizations.
Here's the disconnect: Only 17 percent of IT professionals think their companyhas faced an insider threat, but data shows 85 percent of companies have anomalous use patterns that indicate the probability of such a threat.
“Thefrequency of insider threat incidents is five times greater than ITmanagers believe,” Skyhigh noted in the report. “This should be a wake up callthat organizations need greater visibility into the movement of data toand from the cloud and employ “trust and verify” strategies tocomprehensively protect corporate data.”
The report uncovered a worrisome lack ofenforcement when it comes to IT policies, said Rajiv Gupta, Skyhigh CEO.“Averaged across several services, the intended block rate was six timesthe effective block rate. For example, 50 percent of companies believe theyare blocking Apple iCloud, but usage data reveals the service is onlyblocked by 9 percent of companies.”
Not as surprising was the fact thatcompanies were using a large number of different cloud services: 831, on average, he said. “This number continues its upward spiral andemployees embrace Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to get their jobs done,with or without IT’s involvement,” said Gupta. “The consumerization ofIT, cloud and mobility are all real and lasting trends.”
However,while companies may use many cloud services, the bulk ofinformation — some 80 percent -- goes to just 1 percent of them — 11 big name cloudservices, such as Box, YouTube and Facebook, according to Skyhigh.
“Froma security and compliance standpoint, however, enterprises still needto focus on the long tail because services housing the remaining 20 percent ofdata account for 81.3 percent of anomalous activity indicative of malware,compromised account, and insider threat,” Skyhigh reported.
What the Future Holds
While much of the information in the report focused on potential problems, there was good news, too.
“Whilemany cloud services lack crucial security controls such as strongpassword policies and customer-managed encryption keys, we see asilver lining,” said Gupta. “The number of available cloud servicesrated Enterprise-Ready by Skyhigh’s CloudTrust Program increased from343 last quarter to 429 this quarter. We expect the number of enterprise-ready services to increase as more and more cloud servicesare targeting enterprises (versus consumers) and investing in securitycapabilities in order to generate revenue.”
In the future, hesaid he expects companies to begin moving from a “guard” model to a“guide” model when it comes to cloud security. Rather than focusing onblocking cloud services, IT will shift to guiding employees on how toavoid high-risk cloud services and use low-risk services instead,“creating a win-win for all parties,” said Gupta.