Over the past several years, there have been numerous high-profile data breaches of cloud providers that have impacted millions of users including LastPass (7 million users), LinkedIn (117 million users), VK (100 million users), and Yahoo! (500 million users). Due in part to these breaches, concern about security remains the number one barrier to enterprises adopting cloud services. However, while hackers that gain access to the backend systems of cloud providers may generate headlines, most corporate data loss in the cloud can be traced to malicious or careless insiders. Here are the top five user actions that lead to data loss in cloud services.
Through 2020, 95 percent of cloud security failures will be the customer’s fault
1. Malicious or careless insiders download data from a secure corporate-sanctioned cloud service and then upload the data to a high-risk shadow cloud service
This is the most common source of data loss via cloud services. Enterprise-grade cloud providers such as Box, Microsoft, and Salesforce have made significant investments in the security of their platforms. They also offer favorable legal terms demanded by enterprises. Namely, they do not claim ownership of data that customers upload to the service, they delete data on account termination, and they do not share customer data with third parties. However, just 8.1% of cloud providers offer enterprise-grade security and compliance. Employees who use high-risk services for convenience often don’t realize the risk they pose to corporate data.
2. An employee downloads corporate data from an enterprise cloud service to an unmanaged personal device that lacks appropriate endpoint security controls
Skyhigh’s usage data finds that 15.8 % of files in corporate cloud services contain sensitive data. The question is increasingly not whether this information can be stored in enterprise-grade cloud services, but rather how to prevent that data leaving IT control. Corporate BYOD programs have unleashed user productivity by allowing employees to log in to corporate cloud services remotely via personal computers and mobile devices. However, when corporate data is downloaded to unmanaged devices without appropriate endpoint security (e.g. remote wipe, strong device PIN) in place, that data is now at risk. If the user looks away for a moment at a coffee shop, the device could be stolen and corporate data along with it.
3. Privileged users of a cloud service change security configurations in ways that inadvertently weaken security or access corporate data outside their role
While less common than threats from regular users, privileged user threats can be especially damaging due to the high level of permissions these individuals have within corporate cloud services. Slightly more than half (55.6%) of enterprises experience at least one privileged user threat each month. These threats can include administrators changing security settings that inadvertently weaken security, but they can also include malicious activity. Edward Snowden is perhaps the most infamous example of a privileged user accessing data outside the scope of his role in IT. More common examples include the IT administrator snooping on executives’ data in order to make stock trades on insider information.
4. An employee shares data with a third party such as a vendor or partner via a personal email account or shared link that can be forwarded to others and not tracked
Cloud-based collaboration services have replaced email as the top method for sharing files with co-workers and business partners, especially large files that can’t be emailed. While the majority of collaboration occurs by inviting specific individuals within the enterprise or at business partners, some sharing cannot be traced to internal or authorized users. That includes 6.0% of files shared in the cloud that are shared with personal email accounts (e.g. Gmail, Yahoo, etc.) that make it difficult to determine if the recipient is a legitimate user. Another 5.4% of files shared in the cloud are shared via links that can be forwarded to anyone. These links make it difficult to determine who is accessing sensitive data.
5. Data in a sanctioned cloud services lost via an API connection to an insecure and unmanaged cloud service
Cloud platforms such as Salesforce and Google G Suite incorporate many enterprise-grade security features. They also have thriving marketplaces of third-party apps that can be connected to them to enhance the value of their services. Not all of these third-party apps are secure. A common mistake made by users is adding permissions for an app to connect to sensitive corporate data in a secure cloud environment, making the third-party app the weakest link in their cloud cyber security. Sometimes applications using your existing cloud accounts for sign on require onerous levels of access to data. When it initially launched, Pokemon Go users who signed in with their Google accounts provided full account access to the Pokemon app.