According to a recent Cloud Security Alliance survey, "33% of companies have a 'full steam ahead' attitude toward the cloud and another 41% of companies are moving with caution." The survey, which canvassed over 350 companies across all major verticals, was conducted by the cloud visibility company Skhyhigh Networks and published in Skyhigh's third quarter "Cloud Adoption and Risk Report."
The study suggests IT is actively working to address the dangers and the inevitability of exposure to new and increasingly popular cloud applications like CloudMagic, Todoist, and LastPass (showing, respectively, 224%, 135%, and 121% growth rates in active users in the last quarter).
For those firms still hemming and hawing about cloud adoption -- well, their employees aren't waiting for permission. Skyhigh finds employees are bringing cloud services to the workplace at an alarming rate, creating a shadow IT not under the supervision of IT, in some cases unknown to the department. A staggering 72% of IT professionals said that they "did not know the scope of shadow IT at their companies but wanted to know."
[The 10 Hottest Cloud Apps on Wall Street. Your IT team may not have heard of them.]
Unsecured services, including file-sharing programs and video-streaming applications, put an organization’s sensitive data at risk of malware, compromised accounts, and insider threats. Many cloud services have questionable terms and conditions that do little to protect an end-user's data and can be in direct violation of corporate data security policies. In some cases, the terms and conditions statement, which is as absentmindedly agreed to by users as an iTunes agreement, gives the provider rights to sell user information and turn a profit.
Companies are also concerned about insider threats. Employees preparing to leave a company may download and send sensitive data such as a client list or source code to outside apps before leaving. For more malicious purposes, they may be supplying information to media or hackers. Maybe the employees are just careless about where they upload and share their data. These security risks are harder for IT to detect when they occur outside the company's firewall.
According to Skyhigh's study, only 24% of financial service companies reported insider threat incidents in the last year. But after looking at anomaly detection data, that figure falls short of the 86% of companies that actually experienced an insider threat in the last quarter alone.
The fight for financial services
The average number of cloud services in use by a company across verticals rose from an already daunting 738 services in the second quarter to 831 services in the third quarter. Within the financial services vertical the average is even higher, coming in at 844.
Skyhigh found roughly 80% of the financial service data is uploaded to 14 cloud services. Cisco WebEx took the clear lead, with 22% of all data in the cloud.
On one hand, this can be considered helpful for IT, which can concentrate security efforts on those names. On the other, the long tail of cloud services presents a headache to track and manage.
[Skyhigh Networks found financial service employees ranked second-riskiest users of cloud services.]
Like a game of whack-a-mole, if a company chooses to block access to a service with a firewall or proxy, it incentivizes users to seek alternatives. As the more popular names are blocked, employees begin choosing from lesser known and even less secure services, aggravating the security situation.
IT is left in a difficult position of compromise: Secure corporate data while pragmatically addressing the reality of employee behavior. It explains why, across verticals, "49% of IT professionals say they’ve been pressured into approving an app that didn’t meet their company’s security requirements."
Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio