In Skyhigh’s latest Cloud Adoption & Risk Report (download a free copy here) we analyzed the cloud usage of over 30 million employees at more than 600 enterprises worldwide. We found that across industries, organizations store an increasing volume of sensitive data in the cloud. All told, 18.1% of all documents uploaded to cloud-based file sharing and collaboration services contain sensitive information. With the significant investments enterprise-grade cloud providers have made in the security of their platforms, the question is increasingly not whether it is safe to store data in the cloud, but rather what security controls should be in place to protect that data in light of negligent or malicious use on the customer side. In fact, Gartner reports that, “Through 2020, 95% of cloud security failures will be the customer’s fault.”
Types of Sensitive Data
Overall, 18,1% of files uploaded to cloud-based file sharing and collaboration services contain sensitive data, which can be broken down into six categories
- 4.4% of data is confidential (e.g. financial records, business plans, source code, trading algorithms, etc.)
- 3.9% of data contains personally identifiable information (e.g. Social Security numbers, tax ID numbers, phone numbers, date of birth, etc.)
- 3.2% of data is password protected, and most security solutions do
not inspect it (e.g. password protected ZIP files, Excel spreadsheets, etc.)
- 2.7% of data is email (e.g. PST exports from Microsoft Outlook, individual EML messages, individual MSG messages, etc.
- 2.3% of data contains payment information (e.g. credit card numbers, debit card numbers, bank account numbers, etc.)
- 1.6% of data contains protected health information (e.g. patient diagnoses, medical treatments, medical record IDs, etc.)
Many enterprises today have policies that are designed to prevent the unintended external disclosure of confidential data, personal data, payment data, and health data. Why is it risky to store password- protected files in cloud services? After all, they are password protected in the event they fall into the wrong hands. It turns out that the built-in password protection for ZIP files and Microsoft Office documents is not secure. Enterprise security solutions cannot scan their contents to enforce security and compliance policies, but it is not challenging even for an unsophisticated attacker to break them open. Many commercially available password cracking tools on the internet do this today. Password protecting these files may, paradoxically, make them less secure.
During the 2016 U.S. presidential election, numerous high-profile email hacks dominated the headlines. With employees exporting their mailboxes to local email archives and uploading them to cloud-based file sharing services, the threat surface for email expands. Another driver behind reigning in rogue email archives has to do with electronic discovery. During a lawsuit, organizations are legally required to produce relevant documents to the court. The most requested type of material is email. With the proliferation of personal email archives across cloud services, the task of collecting this material becomes more time consuming and expensive. And data in the cloud is a few clicks from being shared with the wrong person.
Some data employees store in the cloud may not belong there at all, regardless of how secure the cloud service is. For example, it’s not uncommon for employees to keep their passwords in a document named something like “my passwords.docx” and upload it to a file sharing service. The average enterprise stores 1,739 files containing user passwords in file sharing and collaboration services. While using strong, unique passwords is a step in the right direction, most security experts would discourage storing a list of all your passwords in an unencrypted Word or Excel document, whether it’s on your computer or in a cloud service.
When Sharing is Erring
Cloud-based file sharing and collaboration services such as Box, Dropbox, Google Drive, OneDrive, and SharePoint Online are popular. While they initially offered users the ability to synchronize their files across devices, many of these services are now full-fledged collaboration platforms that enable users to share files and edit the same file with other people around the world in real time. In the most recent quarter, the percentage of files in these services that are shared hit an all-time high of 43.1 percent.
The most common way to share a file is by inviting another user at the same organization to access it. Of the 43.1% of files that are shared, 71.5% are shared with individual users in this manner. Another 28.3% are shared with an individual at a business partner – identified by the email domain of their account. It can be challenging to determine the recipients of 6.2% of sharing requests because they use personal email accounts (e.g. gmail.com, yahoo.com). The recipient could be a legitimate user or someone who mistakenly received an invite due to an autocorrect mistake. The average organization shares documents with 864 external domains.
For files that are shared externally (with business partners, personal emails, or publicly accessible online), 9.3% contain sensitive data. That’s lower than the overall average of 18.1% across all documents, but it shows that organizations need to educate employees about the risks of sharing certain types of data and enforce policies defining how and with whom it is appropriate to share sensitive content.