One in ten files shared within cloud applications is exposing sensitive or regulated data to potential compromise, according to an analysis of cloud file-sharing that placed the average potential losses from unmanaged 'shadow IT' at some $1.9m per organisation.
That figure was as high as $5.9m for education providers and $12m for healthcare providers, security provider Blue Coat Systems’ Elastica subsidiary calculated based on its analysis of some 63 million documents stored within cloud applications such as Microsoft Office 365, Google Drive, Salesforce.com, Box, and others.
The analysed documents included information such as source code (in 48 percent of cases), personally identifiable information (PII) (33 percent), protected health information (PHI) (14 percent), and payment card industry (PCI) data (5 percent).
Education and healthcare institutions were particularly exposed, the 2H 2015 Shadow Data Report found, due to “the large number of documents stored by educational organisations and the preponderance of PHI data in the healthcare industry.... Leakage of PHI documents is potentially more devastating than the leakage of PII or PCI data as it often includes a richer source of data that can be exploited for phishing and other social engineering attacks.”
Large healthcare organisations have suffered numerous breaches in recent years: healthcare provider Premera, for example, lost personal data on 11 million customers in an attack last year that was said to have been perpetrated by the same group that previously stole 78.8m records from healthcare giant Anthem and 21.5m records from the US Office of Personnel Management.
While those attacks were perpetrated by experienced hackers who had targeted their victim organisations, the figures – from Blue Coat's recently acquired Elastica Cloud Threat Labs team – highlight the additional risk from unmanaged employee use of cloud-based applications, which has increased from an average of 774 apps per organisation last year to 812 apps now.
As well as exposing organisations to direct security threats due to loss of control over their documents, cloud platforms tended to foster broad sharing of documents in ways for which they may not have been authorised.
Some 26 percent of documents stored in cloud apps are “broadly shared”, the analysis warned, noting that this sharing may variously make sensitive documents accessible to large numbers of employees as well as outside contractors, partners, and the Web at large. Some 23 percent of the documents analysed were shared publicly, allowing anybody with a link to access them.
Analysis of cloud-app usage suggested that many users are taking screenshots of sensitive data and sharing them far and wide – a conclusion reached by noting the “anomalous frequent previews” of documents in 3 percent of observed cases.
File sharing was fingered in 41 percent of cases where shadow-IT tools were threatening security, while email sending was noted in 18 percent and “frequent downloads” in 15 percent of cases.
The Blue Coat analysis also found that just 2 percent of cloud users were responsible for “all data exfiltration, data destruction, and cloud account takeover attempts detected” – showing the importance for organisations to be able to identify those users and remediate their security exposure.
Better staff training was identified as one of three key security tips for companies concerned about their shadow-IT exposure; the other two were in identifying risky apps – which allows CSOs to “make smart choices regarding which apps to sanction” – and in visualising data by drilling down into discovered documents to analyse them and the business risk that their sharing presents.
Tools for monitoring shadow IT usage often elude businesses – particularly smaller ones with limited resources. Aiming to resolve this, Elastica recently began offering its auditing tools to Telstra, which is rebundling the services for provision to its managed security services customers.
Participate in CSO and Gigamon's survey on Security Priorities today!
Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.For full terms and conditions click here.