Cloud services are now an integral part of corporate life. Companies use, on average, 1,154 cloud services ranging from enterprise-ready services procured by the IT department such as Office 365 to far lesser known and riskier services such as FreakShare. It’s not uncommon for sensitive corporate data to make its way to the cloud, with 15.8% of documents in file sharing services containing some form of sensitive content.
Our latest Cloud Adoption & Risk Report (download a copy here) examines the cloud usage of over 23 million users at companies spanning all major industries worldwide who use Skyhigh CASB platform. Across more than 16,000 cloud services, they generate in excess of 2 billion events each day including logins, uploads, edits, shares, deletes, etc. We’ve analyzed this activity and distilled some important facts about how companies are using the cloud today. Here are 11 of the most interesting findings from the report.
15.8% of files in the cloud contain sensitive data
The most common type of sensitive content found in the cloud is confidential data (e.g. financial records, business plans, source code, trading algorithms, etc.) with 7.6% of documents in file sharing services containing this data. Next, 4.3% of documents contain personally identifiable information, 2.3% contain payment data such as credit card numbers, and 1.6% contain protected health information. Sensitive data uploaded to the cloud, in and of itself, is not necessarily a bad thing, but we’ve found that data can be placed at risk if it’s misused internally or shared externally outside of policy.
1,156 files contain the word “password” in the filename
A common theme in recent data breaches is that cyber criminals use compromised passwords to execute attacks. In the Anthem breach, it’s been reported that passwords belonging to five IT employees were used to access sensitive patient data. While it’s recommended users store passwords in a safe place, such as a secure password vault, unencrypted Excel and Word documents uploaded to file sharing services are a poor place to store passwords.
1,753 Excel documents contain the word “salary” in the filename
Recent headline-making data breaches have also involved documents containing employee salaries, Social Security numbers, home addresses, and bank account numbers. Many of these files include the word “salary” or “salaries” in the filename, making it even easier for a cyber criminal to identify them. The average company has 6,097 files containing these keywords in the filename stored in cloud-based file sharing services, and 1,753 are Excel spreadsheets.
File sharing hit an all-time high this quarter
The percentage of files in cloud-based file sharing services that are shared hit an all-time high of 37.2% in Q3. Files can be shared with multiple users inside and outside the company. The most common type of collaboration is with internal users, with 71.6% of shared files shared with individual users within the company. Of shared files, 28.2% are shared with business partners, and 5.4% are visible to anyone with the link. Of the 37.2% of files shared, we’ve broken down who they are shared with here:
9.2% of files shared externally contain sensitive data
Of files in cloud-based file sharing services that are shared externally (with business partners, personal emails, or publicly on the web) 9.2% contain sensitive data, defined as confidential, personal, payment, or health data. While this number is lower than the overall average of all files that contain sensitive data (15.8%), which indicates that users are more selective with what they share externally, these sharing events can expose organizations to risk if data falls into the wrong hands.
File sharing services are a shadow code repo
Data is under siege by internal and external threats
Insider threats, which include both accidental and malicious high-risk user behaviors, occur at least once a month at 89.6% of companies, with the average company experiencing 9.3 incidents per month. On average, companies experience 2.8 privileged user threats per month, which include administrators accessing data they shouldn’t. And, organizations experience 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. A breakdown of companies experiencing at least one insider threat, compromised account, and privileged user threat per month is shown here:
Cloud usage in Q3 grew 38.9% over the same period last year
Cloud usage continues to grow exponentially. The average company in Q3, 2015 used 1,154 cloud services, including 174 distinct collaboration services, 61 file sharing services, 57 development services, and 45 content sharing services. The average user actively uses 30 cloud services. On average, organizations upload 14.7 TB of data to the cloud each month, but only 8.1% of cloud services offer enterprise-ready security controls, which is lower than the 9.5% this time last year.
iOS has more apps in use per device, Android users upload more data
The average iOS device accesses 11.05 cloud services, compared with 9.96 for Android, and 6.82 for Windows Phone. Cloud usage on iOS is soaring, it’s now 88.1% higher than this same period last year. Across mobile platforms, cloud usage grew 62.9% in the last 12 months. However, users of Android devices upload over three times more data compared with the average iOS user.
Cloud usage is surging on Windows and stagnant on the Mac
On average, Windows desktop users use a greater variety of cloud services than users of any other platform. The average Windows device accesses 18.3 cloud services, an increase of 47.6% in the last 12 months. Today, Windows devices on average access 77.7% more cloud services than Mac devices.
Enterprise cloud services account for 72.9% of cloud usage
A common misconception among corporate IT departments is that the bulk of their cloud usage is made up of employees accessing consumer apps. However, we found the opposite is true. On average, 72.9% of the cloud services in use by a company are defined as enterprise cloud services and 71.8% of data uploaded to the cloud went to these services. Not all of these apps are approved, and companies can reduce their risk by migrating to enterprise-ready services. From a security standpoint, the top 20 enterprise cloud services are significantly more likely to have robust security controls than the average enterprise cloud service (85% vs 9.9%).