Broad use of cloud services leaves enterprise data vulnerable to theft, report says

Workers excessively sharing documents in the cloud is a security problem. IT needs to get more on top of it, a new report says.

Computer and email usage policy

Data theft is a very real and growing threat for companies that increasingly use cloud services, says a security firm.

Workers who widely share documents stored in the cloud with clients, independent contractors, or even others within the company are creating a Swiss-cheese of security holes, a study by Blue Coat Systems has found.

In some cases, cloud documents were publicly discoverable through Google searches, the researchers say of their analysis.

'Broadly shared'

The study found that 26% of documents stored in cloud apps are shared so widely that they pose a security risk. Compounding the issue is that many organizations aren't even aware of it.

"Equally alarming," says Blue Coat in a press release, is that it reckons its research shows that 10% of documents "shared broadly are sensitive and or are subject to compliance regulations."

That data includes source code (48%), Personally Identifiable Information (33%), health information (14%), and Payment Card Industry data (5%).

Financial risk

The study estimated that the "potential financial impact on the average organization from the leakage of its sensitive cloud data was $1.9 million."

The study was conducted by Elastica, a cloud app security company that Blue Coat acquired in 2015. To carry out the study, Elastica used its own cloud security program to get "insights" into "63 million enterprise documents within leading cloud applications, including Microsoft Office 365, Google Drive, Salesforce, Box and others," Blue Coat says.

Elastica specializes in "shadow" data security, otherwise referred to as "shadow IT." That's the data that employees store in the cloud through services which an enterprise IT department do not necessarily control, support, or even know about.

The detail

However, not only the organizations with shadow IT are vulnerable to the risks.

Theft of data (also called data exfiltration), data destruction, and account takeover were the three principal threats facing enterprises that use both unsanctioned and also agreed-upon cloud apps, the report said. Elastica found that data exfiltration was the most prevalent threat.

How it's done

Anomalous frequent sharing, downloading, and previewing of the documents are allowing the theft to take place. Previewing might make data vulnerable to being captured through screen shots while it's on the screen, for example.

Frequent sharing is the worst, they found.

The company includes both hackers and users as culprits, and emphasizes that it's the indiscriminate sharing internally and externally that's the main problem.

Who's doing it?

Not all users are responsible for the leaks.

"Two percent of cloud users were responsible for all data exfiltration, data destruction, and cloud account takeover attempts detected," the study found.

"The more broadly documents are shared, the higher the likelihood that someone they don't know or trust will delete or leak data," the report says.

What to do?

And IT needs to get more on top of the broad use of cloud services.

"IT should increase their own knowledge and insight into what documents their employees are sharing and how broadly they are being shared," the report continues.

Indeed, the consensus from the report isn't to simply lock down documents on in-house servers, but to use the cloud with appropriate cloud monitoring security. It also just so happens that Blue Coat's Elastica can conveniently supply these services, it explains in its press release.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.