Sensitive enterprise data may be leaving the safety of our corporate networks at a much faster clip than we believed - with web based file sharing services a major contributor to data flight.
That’s the conclusion of a survey by the firm Elastica, which analyzed 100 million files shared on leading public cloud applications. According to the research, employees each stored an average of 2,037 files in the cloud. More concerning: fully 20 percent of the files that were “broadly shared” via file sharing services contained regulated data of one sort or another. The company put together a nice little infographic that highlights some of the larger findings.
Elastica found that files stored and shared outside the network frequently contained personally identifiable information (PII) governed by state data protection laws and industry standards like the Payment Card Industry Data Security Standard (PCI DSS). Records containing personal health information (PHI) governed by HIPAA was also common.
The Elastica survey is just the latest to highlight the threat to enterprise data that comes with increased employee mobility and the adoption of consumer-oriented products and services like DropBox and iCloud.
These services constitute a kind of “shadow IT” infrastructure that has become a leading source of heartburn for beleaguered IT departments and CISOs. Needless to say: the job of monitoring and staying on top of new collaboration platforms and hosted applications is daunting. Hosted applications may be adopted ad-hoc by departments, groups of users or even individual users without buy-in from the IT group (if you don’t want to hear the answer, don’t ask the question). In other cases, malicious actors within or outside of a company may quietly leverage such platforms to get access to protected data - pushing malware to corporate assets via cloud based shares.
According to Elastica’s survey, risky behavior isn’t widespread. A tiny fraction of all users - just 5% - accounted for 85% of “risk exposures” like sharing regulated data. Beyond that, fully 80% of incidents observed by Elastica were “accidental” sharing by the employee. Just 12% of incidents were attributable to an account takeover by a malicious actor, while 7% of incidents were the work of a disgruntled or rogue insider. Still, the damage caused by even a single malicious or compromised employee can be considerable.
What’s the solution? As Mike Pittenger noted in this blog last month, companies need to establish better control and management of sensitive information. Understanding what regulated and sensitive data exists on your network and where it lives is a first step. But data isn’t static, so companies need to establish a way to monitor that sensitive data over time, noting how it is used, who is using it, an under what circumstances.
About Paul Roberts
Paul Roberts is the founder and editor in chief of The Security Ledger. Paul has spent the last decade covering hacking, cyber threats and information technology security, including senior positions as a writer, editor and industry analyst. Most recently, he served as editor of Threatpost.com and a Security Evangelist for Threatpost’s corporate parent, Kaspersky Lab. Prior to that, Paul spent three years covering the enterprise IT security space as a Senior Analyst in The 451 Group’s Enterprise Security Practice, where he covered trends and technology developments in the security market, with a concentration in endpoint security.
More from the Digital Guardian Data Security Knowledge Base:
