The complexities and subtleties of cyber-security continue to grow—and, unfortunately, enterprise business and IT leaders aren’t keeping up. According to Gartner, 95 percent of cloud breaches are the fault of the enterprise rather than the service provider.
However, a new report from cloud enablement and security vendor Skyhigh Networks, Cloud Adoption and Risk Report, delivers a deeper dive into the topic. Overall, 58 percent of sensitive data stored in the cloud is in the form of Microsoft Office documents and another 19 percent is PDF files. These files are commonly stored on a mix of commercial and consumer services such as Box, Dropbox, Evernote, Google Drive, OneDrive, and SharePoint Online.
One of the key problems is data oversharing: slightly under 16 percent of all documents that employees upload to cloud-based file sharing services contain sensitive information. These files can be exposed externally with only a click or two.
The problem doesn’t stop there. The study, based on analysis of 23 million users and 2 billion unique transactions worldwide, found that a whopping 28 percent of employees have uploaded a file containing sensitive data to the cloud and 13 percent of shared documents are accessible to all employees within an organization. Another 5.4 percent are accessible to anyone with a link.
Alas, security lapses and poor data protection practices are common, Skyhigh found. The average organization had 1,156 docs with “password” in the file name, 7,886 with “budget”, 6,097 with “salary”, 156 docs with “press release.” In one case, an employee uploaded 284 unencrypted documents containing credit card numbers to a file-sharing service.
Still another user uploaded 46 documents labeled “private” and 60 documents labeled “restricted” based on the company’s file classification system. A third uploaded 88 documents containing social security numbers.
Finally, the study discovered that cloud services are quickly becoming the tool of choice for exfiltrating corporate data. The average company experiences 9.3 cloud-based insider threat incidents each month; 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service; and
2.4 cloud-enabled data exfiltration events each month—with the average incident involving 410MB of data.
The upshot? CIOs and others that oversee security must tune into the subtleties of data and clouds and how employees put an enterprise at risk. Without proper protections, conditions can become stormy very quickly.