A study released today by cloud security startup Netskope reinforces what CIOs already know: Your business users are using a ton of cloud apps, many of which are unknown to your IT department and three quarters of which are not — repeat, are not — enterprise-ready. Another turn of the screw? All this rogue IT will potentially cost you — big time. The study estimates that the use of cloud services by the business increases the likelihood of a data breach three-fold.
“It is not time to run for the hills, it is not time to build a bunker and move all your data underground, it is just time to embrace reality: that shadow IT is alive and well,” Jamie Barnett, vice president of market data at Netskope, said.
Conducted by the Ponemon Institute, the independent study surveyed 613 U.S. IT and IT practitioners who identified themselves as familiar with their company’s use of cloud services. From the study:
- Respondents believe 45% of all software applications used by organizations are in the cloud, but exactly half (22.5%) of these applications are not visible to IT.
- Respondents estimate that 36% of business critical apps are based in the cloud, yet IT lacks visibility into nearly half of them.
While about half of respondents (51%) said that their company’s in-house IT services were “equally or less secure” than cloud-based services, 66 % also said their organization’s use of cloud resources does diminish its ability to protect confidential or sensitive information.
Nearly two-thirds (62%) of respondents believe the cloud services used by their organization are not thoroughly vetted before deployment. More than two-thirds (69%) of respondents believe their organizations are not proactive in assessing information that is too sensitive to be stored in the cloud.
Impact of rogue cloud services on likelihood of breach
This laissez faire governance exacts a high price, according to the study. A May 2014 study by Ponemon established a cost of $201.18 per lost or stolen customer record. When survey respondents were asked how the current use of cloud services at their companies might impact the probability of a breach, the result was three times. From the study:
- Respondents estimated that every 1% increase in the use of cloud services will result in a 3% higher probability of a data breach. This means that an organization using 100 cloud services would only need to add 25 more to increase the likelihood of a data breach by 75%.
And when a data breach happens, don’t expect much help from your cloud provider.
- Almost three-quarters (72%) of respondents believe their cloud service provider would not notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information, and 71% believe they would not receive immediate notification following a breach involving the loss or theft of customer data.
Here’s what will hike up the cost of a data breach
Not all data breaches are created equal when it comes to monetary damage. Certain activities can drive up the cost of a breach. The cost of lost or stolen customer information rises when:
- An organization increases the backup and storage of sensitive and/or confidential customer information in the cloud (which can cause the most costly of breaches),
- An organization expands its primary cloud services too quickly and experiences financial difficulties,
- An organization increases its use of cloud infrastructure services (IaaS).
The cost of lost or stolen confidential business information and high-value IP rises when:
- An organization uses Bring your own Cloud (BYOC) — which results in the most costly of breaches involving high value IP,
- An organization increases backup and storage of sensitive or confidential information in the cloud,
- An organization’s primary cloud provider fails an audit that concerns its inability to securely manage identity and authentication processes.
So what can CIOs do to stop a costly data breach from happening? There is no guaranteed solution yet.
But despite this risky behavior by some of your employees, Sanjay Beri, CEO of Netskope, advises that CIOs not “shut your end users down even when they perform these risky activities…. In 99 % of the cases, they’re not malicious people. They’re just doing things because they don’t know better.”
Instead, Beri encourages CIOs to investigate what is really going on with cloud app usage in their company, put policies and rules into place, and coach employees on safe usage of cloud apps.
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34