Cloud services are weak link in enterprise security
Sun 27 Apr 2014
More than 9 out of 10 of the 588 different cloud services used by the average European enterprise pose medium to high security risks, according to a report from security and governance firm Skyhigh Networks.
In its new survey the firm reported that European enterprises used an average of 588 cloud services with just 9% providing enterprise-grade security capabilities and the remaining 91% posing a risk.
From a data privacy and data residency perspective, only 1% of the cloud services used offer enterprise-grade security capabilities and store data in Europe’s jurisdictional boundaries. The remaining 99% either store data in countries where data privacy laws are less stringent or don’t have enterprise-grade security capabilities, or both.
It warned that shadow IT is “widespread and uncontrolled” and is 10 times more prevalent than companies assumed.Key findings from the report include:
- On average, a European organisation has 588 cloud services in use, compared to 626 in the U.S.
- Of the 2,105 cloud services used, only 9% provide enterprise-grade security capabilities, and 72% store data in the US.
- Only 12% encrypt data at rest, 21% support multi-factor authentication, and 5% are ISO 27001 certified
- Among the Top 10 services in each category, only 5 of the 30 cloud services are headquartered in Europe. 25 of the top 30 providers are based in countries (US, Russia, China) where the privacy laws are non-existent compared to Europe.
- Less than 1% of the 2,105 Cloud Services Offer enterprise-grade security capabilities and store data within Europe’s jurisdictional boundaries
- Except for 1, all of the Top 10 business services store data outside of Europe’s jurisdictional boundaries
- 49 different services in use are tracking the browsing behaviour of employees on the Internet. This exposes organisations to the increasingly prevalent watering hole attack.
“Cloud services certainly enable agile, flexible, and efficient businesses, and employees should be encouraged to use services that best suit their working style and enhance their productivity,” said Rajiv Gupta, CEO Skyhigh Networks.
“However, it is evident from this study that too many employees are still unaware of the risks associated with some cloud services, and could even be jeopardising the overall security position of their organisation. Of the services that we analysed, 72% stored data in the US – which could have legal and compliance implications for certain organisations in Europe.
“The bottom line is that businesses need to get smarter about the cloud. IT needs to develop a greater understanding of the cloud services in use and the risk they present, and play a leadership role in educating users and guiding the organisation to securely embrace the cloud.”
Charlie Howe, EMEA director of Skyhigh Networks, is leading the company’s expansion into Europe. “Europe is facing something of a crossroads with regard to cloud adoption and security,” said Howe. “The discrepancy between the perceived and actual number and risks of services in use at each organisation is worrying to say the least.
“CIOs need to get a better grip on this if they are to avoid the huge reputational and financial repercussions of poor data security. While blanket bans on cloud services were once the only option, CIOs now have the tools and services that will enable them to empower employees to use the cloud services that grow the business while ensuring compliance with internal and external data privacy, security, and governance policies.”