What do you think is the greatest risk to the security of your cloud-based applications and data?
If you answered hackers and cyberattacks from outside of your organization, you would be wrong. While threats from malicious criminals who want to steal your data are always a concern and you should do everything you can to ensure cloud computer security and protect the information your network contains, the biggest threat to your cloud security actually comes from the inside. Your employees and the way they access, transfer and store data actually pose a greater danger to security than the shadowy, nameless criminals that we’re all worried about.
“But we train employees in security!” You might be thinking. “Everything is password protected. We have policies. Employees understand the importance of keeping everything protected.” That may be true. However, the average employee does not have a thorough understanding of IT security and may be doing things to put your networks and data at risk without even realizing it.
Common Security Risks
Today’s employees are under more pressure to complete more work, and complete it faster, than ever before. As a result, they expect to be able to work whenever and wherever they happen to be. Cloud computing functions have made this possible, but not all employees consider security when using the cloud. For example:
- Employees use non-approved applications or cloud storage services to store and transfer data. Many people use free email or storage services, such as Gmail or Dropbox, at home and don’t think twice about using them for work as well. They might email themselves some files to work on over the weekend, for example, not realizing that the security protocols for consumer-grade cloud services don’t adequately protect corporate data. The recent Heartbleed security flaw is a prime example of this: Many of the services affected by the security vulnerability were inappropriately used for corporate data, meaning thousands of people potentially exposed sensitive data as a result.
- Consumer services do not have adequate password controls. Employees using their personal accounts for work may not have the same password protection in place that an enterprise-level cloud would. Enterprise systems are more likely to employ two-factor authentication, for example, or strict password requirements. When using consumer systems, employees may use the same password that they use for other accounts, store their passwords or even leave the application open when it’s not in use, all of which endangers corporate data.
- Uncontrolled cloud applications could be noncompliant. Some industries, including finance and health care, have strict compliance regulations regarding data protection. When an employee uses a consumer cloud application for work data, he or she could be unintentionally putting the company out of compliance. Some cloud services store data outside of the U.S., for example, or do not have the required security protocols in place. If a breach occurs, an innocent file transfer in the name of productivity could lead to big fines and other problems.
- Consumer cloud applications do not always have adequate encryption. Again, compliance standards may dictate that data be encrypted during storage and transit. If the information is on an unauthorized consumer application, it may not be encrypted properly, creating a substantial risk for unauthorized access.
Addressing the Problem
So what is the concerned IT security team to do? Employees expect to be able to access their work on the go, and most will continue to use unapproved applications despite the warnings if there aren’t any viable alternatives.
Experts say the solution lies largely in education. Employees need to be educated on the risks of using inappropriate cloud services. There also need to be strict policies in place regarding acceptable use, with clear consequences for violating the policy. Many organizations are reluctant to “crack down” on rogue cloud applications, out of fear of creating employee dissatisfaction or more serious problems, as employees look for ways to circumvent the rules.
Instead, businesses are employing cloud security protocols or developing their own internal cloud solutions to control access to applications. According to one survey, nearly 40 percent of companies have taken this approach, developing solutions that allow employees to access the data they need while still adhering to important security standards.
In almost every case, employees are not using unapproved cloud services maliciously but are simply trying to get work done and stay productive outside of the office. Intentions aside, the problem remains, and corporate security teams need to address the issue of inappropriate cloud usage before they experience a costly breach.