The worldwide cloud computing market is expected to grow to $191 billion by 2020, according to analyst firm Forrester, up from $91 billion in 2015. There are numerous advantages of cloud computing driving a secular move to the cloud; among them lower cost, faster time to market, and increased employee productivity. However, the security of data in the cloud is a key concern holding back cloud adoption for IT departments, and driving CASB adoption. Employees are not waiting for IT; they’re bringing cloud services to work as part of a larger “bring your own cloud” or BYOC movement. The Ponemon Institute surveyed 400 IT and IT security leaders to uncover how companies are managing user-led cloud adoption.
The Ponemon study identified 9 cloud risks. Following high-profile breaches of cloud platforms Evernote, Adobe Creative Cloud, Slack, and LastPass, it’s no wonder IT departments are concerned. The LastPass breach is particularly troubling, since the service stores all of a user’s website and cloud service passwords. Armed with these passwords, especially those belonging to administrators with extensive permissions for a company’s critical infrastructure, a cyber criminal could launch a devastating attack. The scale of the breach is extensive and 91% of companies have at least one LastPass user. The IT departments at these companies may not even be aware they have employees using LastPass.
In the last few years, there has been an explosion of new apps that help people be more productive. Employees are bringing these apps to work with them to do their jobs more efficiently. While forward-thinking companies recognize the benefits the bring your own cloud (BYOC) movement for their organizations, you may have heard of it referred to by the more ominous title of “shadow IT”. In most cases, shadow IT starts with good intensions. Employees use apps that help them be better at their jobs, unaware of the risks that storing corporate data in unsecured apps can have. Skyhigh analyzed cloud usage of 18 million employees and found the average company uses 923 cloud services.
Surveying 409 IT and security leaders, the Ponemon Institute report The Insider Threat of Bring Your Own Cloud (BYOC) investigated the risk of cloud services. The survey revealed that many respondents don’t have any idea how pervasive the problem of BYOC is within their own organization. They don’t know what applications and cloud services workers are using, and, worse, they don’t know what information is exposed, where it is going, and with whom it is being shared. Here are the top risks of BYOC, as identified by respondents in the survey. Some of these risks are linked to weak cloud security measures of the services, such as storing data without controls such as encryption, or lack of multi-factor authentication to access the service.
1. Loss or theft of intellectual property
Companies increasingly store sensitive data in the cloud. An analysis by Skyhigh found that 21% of files uploaded to cloud-based file sharing services contain sensitive data including intellectual property. When a cloud service is breached, cyber criminals can gain access to this sensitive data. Absent a breach, certain services can even pose a risk if their terms and conditions claim ownership of the data uploaded to them.
2. Compliance violations and regulatory actions
These days, most companies operate under some sort of regulatory control of their information, whether it’s HIPAA for private health information, FERPA for confidential student records, or one of many other government and industry regulations. Under these mandates, companies must know where their data is, who is able to access it, and how it is being protected. BYOC often violates every one of these tenets, putting the organization in a state of non-compliance, which can have serious repercussions.
3. Loss of control over end user actions
When companies are in the dark about workers using cloud services, those employees can be doing just about anything and no one would know—until it’s too late. For instance, a salesperson who is about to resign from the company could download a report of all customer contacts, upload the data to a personal cloud storage service, and then access that information once she is employed by a competitor. The preceding example is actually one of the more common insider threats today.
4. Malware infections that unleash a targeted attack
Cloud services can be used as a vector of data exfiltration. Skyhigh uncovered a novel data exfiltration technique whereby attackers encoded sensitive data into video files and uploaded them to YouTube. We’ve also detected malware that exfiltrates sensitive data via a private Twitter account 140 characters at a time. In the case of the Dyre malware variant, cyber criminals used file sharing services to deliver the malware to targets using phishing attacks.
5. Contractual breaches with customers or business partners
Contracts among business parties often restrict how data is used and who is authorized to access it. When employees move restricted data into the cloud without authorization, the business contracts may be violated and legal action could ensue. Consider the example of a cloud service that maintains the right to share all data uploaded to the service with third parties in its terms and conditions, thereby breaching a confidentiality agreement the company made with a business partner.
6. Diminished customer trust
Data breaches inevitably result in diminished trust by customers. In one of the larges breaches of payment card data ever, cyber criminals stole over 40 million customer credit and debit card numbers from Target. The breach led customers to stay away from Target stores, and led to a loss of business for the company, which ultimately impacted the company’s revenue. See number 9 below.
7. Data breach requiring disclosure and notification to victims
If sensitive or regulated data is put in the cloud and a breach occurs, the company may be required to disclose the breach and send notifications to potential victims. Certain regulations such as HIPAA and HITECH in the healthcare industry and the EU Data Protection Directive require these disclosures. Following legally-mandated breach disclosures, regulators can levy fines against a company and it’s not uncommon for consumers whose data was compromised to file lawsuits.
8. Increased customer churn
If customers even suspect that their data is not fully protected by enterprise-grade security controls, they may take their business elsewhere to a company they can trust. A growing chorus of critics are instructing consumers to avoid cloud companies who do not protect customer privacy.
9. Revenue losses
News of the Target data breach made headlines and many consumers stayed away from Target stores over the busy holiday season, leading to a 46% drop in the company’s quarterly profit. The company estimated the breach ultimate cost $148 million. As a result, the CIO and CEO resigned and many are now calling for increased oversight by the board of directors over cyber security programs.
According to the Ponemon BYOC study, a majority (64 percent) of respondents say their companies can’t confirm if their employees are using their own cloud in the workplace. Trust us—they are. In order to reduce the risks of unmanaged cloud usage, companies first need visibility into the cloud services in use by their employees. They need to understand what data is being uploaded to which cloud services and by whom. With this information, IT teams can begin to enforce corporate data security, compliance, and governance policies to protect corporate data in the cloud. The cloud is here to stay, and companies must balance the risks of cloud services with the clear benefits they bring.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.