Last week, Skyhigh published its latest Cloud Adoption and Risk Report (download a free copy here). The report is based on the anonymized cloud usage of more than 30 million employees who work at companies worldwide, making it one of the most authoritative sources on how people use cloud services in the workplace. Unlike the cloud vendors themselves, what makes our report unique is that we have visibility into usage across all cloud services, revealing the overall trends and hidden risks to corporate data in the cloud era. Here are the nine most unexpected findings we uncovered when delving deep into our vast datasets.
1. 18.1% of files in the cloud contain sensitive data
We analyzed all files that are stored in cloud-based file sharing and collaboration services, where they are a few clicks from being shared externally. We found that one-in-five files contain data companies generally want to keep private. That includes confidential data (e.g. financial records, business plans, source code, trading algorithms, etc.), personal data (e.g. Social Security numbers, tax ID numbers, phone numbers, date of birth, etc.), password protected files (e.g. password protected ZIP files, Excel spreadsheets, etc.), emails (e.g. PST exports from Microsoft Outlook, individual EML messages, individual MSG messages, etc.), payment data (e.g. credit card numbers, debit card numbers, bank account numbers, etc.), and health data (e.g. patient diagnoses, medical treatments, medical record IDs, etc.)
2. 9.3% of files shared externally contain sensitive data
Cloud-based file sharing and collaboration services are built around sharing content – both internally with other employees and externally with vendors, business partners, contractors, and others. Across all files stored in these services, 43.1% are shared with another user than the one who created or uploaded the file. Of files that are shared, 28.3% are shared externally with known business partners, 6.2% are shared with personal email domains that cannot be traced (e.g. Gmail, Yahoo! Mail), and 2.7% are exposed publicly on the internet. Across these files that are shared externally, 9.3% contain sensitive data. That’s lower than the overall average of 18.1% across all documents, but it shows that organizations need to educate employees about the risks of sharing certain types of data and enforce policies to protect against data leakage.
3. The average company experiences 23.2 cloud-based threats each month
As more corporate data is stored in the cloud, security incidents are no longer isolated to PCs and applications on the network. The average organization experiences 23.2 cloud-related security incidents each month. Detecting these threats is a challenge. Employees at the average enterprise collectively take over 2.7 billion unique actions in cloud services each month, and any of them could signal a threat. Broken down by category, these threats include insider threats (both accidental and malicious), privileged user threats, compromised accounts, and attacks that leverage the cloud as a vector for data exfiltration.
4. Cloud usage last quarter grew 23.7% over this time last year
The average organization now uses 1,427 cloud services, an increase of 23.7% over the same quarter last year. The year-over-year growth in the number of services used by the average enterprise increased slightly from 21.1% in the prior quarter, but it is below the historical average growth rate of 35.3%. Enterprise cloud services account for 71.3% of the services in use by the average organization, while consumer services represent 28.7% of the services in use. While cloud usage is pervasive across industries, there are clear trends in usage by industry in the number of cloud services used at the organizational level as well as user level.
5. Lawyers are more prolific cloud app users than high tech workers
The average high tech company uses 2,083 distinct cloud services, more than any other industry. However, when it comes to individual employees, lawyers use more cloud services. While the average law firm uses the fewest number of cloud services, just 951, their employees are more prolific cloud adopters. The average law firm employee uses 45 cloud services compared with 41 cloud services for the average high tech employee. The industries where employees use the most cloud services on a per user basis includes energy (49 services) and media and entertainment (46 services).
6. Companies sanctioned or permit 68.7% of cloud services
Enterprises broadly categorize services into three groups: approved, permitted, and not allowed. Approved services account for 5.4% of cloud services and are sanctioned by the corporate IT department and often purchased and deployed by the company. Permitted services make up 63.3% of services. They are introduced by employees and business units; however, they have business value and, with appropriate security controls, can be used without introducing an unacceptable level of risk. Those controls can include data loss prevention, activity monitoring, and access control that allows certain actions (view) while disabling other actions (upload). Together, they amount to 68.7% of cloud services in use.
7. There is a wide gap between intended and actual block rates
Comparing the services that are not allowed based on an enterprise cloud governance policy and actual block rates, we found there can be a wide gap between what IT thinks it’s blocking and actual blocking rates. There are three primary causes for this gap: cloud services regularly introduce new URLs and IP addresses that are not blocked by firewalls and web proxies, access policies are not standardized across global egress infrastructure, and organizations fall victim to exception sprawl. For example, IT security professionals believe the blocking rate for the anonymous content sharing service Pastebin is 66.7%, but in reality, the blocking rate is only 7.1%.
8. Microsoft Azure is catching up with Amazon AWS in market share
Measured by the percentage of home-grown applications enterprises deploy on each platform, Amazon is still the leading vendor with 35.8% of deployed applications. Microsoft Azure is closing in with 29.5% of deployed applications, followed by Google Cloud Platform with 14.1% of deployed applications. IBM SoftLayer (3.4%) and Rackspace (2.9%) round out the top five positions. However, there is a significant long tail of IaaS providers that, while they individually account for a small slice of the market, collectively total 14.3% of deployed applications.
9. Microsoft OneDrive is now the #1 most popular file sharing service
We rank file sharing services based on active user count. Driven perhaps in part by Microsoft’s major push to increase Office 365 consumption, OneDrive emerged as the leading file sharing service this quarter for the first time. OneDrive displaced Google Drive in enterprise user count after several quarters of steadily moving up in the rankings. It’s followed by Google Drive, Dropbox, and Box. This quarter, WeTransfer surpassed ShareFile to take the 5th spot on the list and MediaFire joined the top 10 list for the first time. Note that both the enterprise and consumer versions of services are combined here, where applicable.
CASB Magic Quadrant 2019 is here – McAfee a Leader for third consecutive year
CASB RFP Template: 200+ Common Questions Enterprises Are Asking
9 Cloud Computing Security Risks Every Company Faces
Office 365 Security Concerns: Download Definitive Guide to Office 365 eBook
51 AWS Security Best Practices