Does it feel like you’re herding cats when it comes to managing app use within your organization? Well, you’re definitely not alone.
Our research revealed that, worryingly, 29 percent of respondents said they were aware employees use ‘some’ or ‘many’ unauthorized cloud apps within the business. Adding to that, 6 percent said they didn’t know what cloud apps were being used and 8 percent didn’t know how to answer the question. Combining these figures, that’s nearly half of respondents who either know for sure that employees are using unauthorized cloud apps, or have no idea whether they are… pretty depressing stuff.
With a ‘to do’ list that changes by the minute and is subject to the whims of employees and board members, it’s unsurprising that a quarter of respondents admitted they just don’t have time to police the use of cloud apps. This is despite 45 percent saying that when it comes to cloud app use, they are most concerned about security.
Only 21 percent of IT professionals in medium and large businesses felt sure they would comply with upcoming regulations, including the GDPR. That’s nearly 80 percent who are not confident of complying with the regulation in time, and 18 percent of our survey respondents said the topic of compliance ‘struck fear into their hearts,’ showing the scale of the regulatory challenge ahead for businesses.
The GDPR requires organizations actively to take measures to protect the data they hold. Companies won’t comply with the GDPR only through legal arrangements like policies, protocols and contracts. Rather, companies must take deliberate organizational and technical measures to ensure data protection and compliance in all areas. This is known as data protection by design, and goes beyond traditional security measures aimed at confidentiality, integrity and availability of the data.
The fact of the matter is that enterprise cloud apps just aren’t ready for the GDPR. The February 2016 Netskope Cloud Report found that 12.7 percent of cloud apps don’t support data portability requirements, and according to the regulation, this infringes on the rights of data subjects.
Additionally, our Cloud Report found that 43.2 percent of cloud apps keep data for longer than one week upon termination of service, going against the GDPR requirement that personal data must be deleted as soon as the purpose of use is no longer present. These two statistics alone point to the significant volume of work that lies ahead for enterprises, as well as the cloud app vendors that serve them.
Still with us? Good! Because the point of all this is that it’s one thing spouting data points highlighting the scale of the problem, and proving you’re in the same boat as others. But that’s not going to make the problem go away, or make you feel any better about it, is it?
Feeling depressed and helpless about this situation stems from a catch-22: you find yourself trapped between concerns about ensuring compliance, and at the same time you’re facing pressure from users who continue to rely on cloud apps. You’re stuck between a rock and a hard place.
Controlling and securing data in cloud apps will be absolutely central to GDPR compliance, so managing the organization’s interactions with the cloud is a good place to start. This can be achieved by:
- Discovering and monitoring all cloud applications in use by employees;
- Knowing which personal data are processed in the cloud by employees – for example, customer information such as name, address, bank details, or other forms of personally identifiable information (PII);
- Securing data by setting up policies that ensure that unmanaged cloud services are not being used to store and process PII. The policy should be granular enough to stop the unwanted behavior while allowing compliant use of the cloud to continue;
- Coaching users to adopt the services you provision or sanction, and
- Using a cloud access security broker (CASB) to assess the enterprise-readiness of all cloud apps and cloud services to ensure that all data are protected when in transit or at rest.
So, more broadly speaking, how can you get to a better place when it comes to managing cloud apps effectively within your organization?
Step 1: Just let it go – you’re doing the best you can, with the resources you’ve been given, so let’s put things into context. You’re aware of the issue, which is more than many, and getting started is a big part of the battle – a journey of a thousand miles begins with a single step, as they say.
Step 2: Talk to the board – close any disconnect that exists between you and the board’s understanding of cloud app use within the enterprise. Make sure you pitch it at the right level. Too little detail, and the board could feel you’re pulling the wool over their eyes. Too much, and you could be met with blank expressions. What’s important is for them to understand that employees are seeking out and using lots of “useful tools” on a daily basis, leading to “app sprawl”. The Board’s knee-jerk reaction may be to tell you to block all cloud apps, but what’s important is to educate them on the business benefits these apps can deliver. Blocking them would result in disgruntled employees and a potential loss of talent from the organization. In addition, cloud apps can in fact drive collaboration, enable better business decisions and optimize business process and workflow.
Step 3: Talk to your employees. You want security, they want to use apps, so find out what apps they want to utilize, coach them on how to use them safely and fully explain why policies are being put in place. Only by involving them in this process will you ensure buy-in, engagement and understanding.