We’ve been talking lately about the multiplier effect of cloud in relation to data breaches. The cloud introduces new dynamics in enterprise IT, including massive cloud app growth, much of it outside of the purview of IT; mobile and BYOD access to cloud apps; and cloud-specific capabilities like sharing, which make it easy for content to get out of an enterprise’s control. Each of these dynamics could be considered a multiplier, or something that increases the probability of a data breach. To take the pulse of the market and quantify this idea, we asked the Ponemon Institute, a foremost expert in data breach research, to conduct a study on the topic. Today we released the results of that study, a first-of-its-kind report called “Data Breach: The Cloud Multiplier Effect.”
The study, which is based on a survey of 613 IT and security professionals, finds that increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3x. It also revealed other key findings, including:
- 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them;
- 30 percent of business information is stored in the cloud, yet 35 percent of it isn’t visible to IT; and
- For every 1% increase in the use of cloud services, there is a 3% increase in the probability of a data breach.
Is the end nigh? No. There’s a way to re-write this story. As we get smarter in our use of the cloud, we are also getting smarter about what the risks are and how to deal with them. Here are a few ideas:
First, figure out what cloud apps are in your environment and how enterprise-ready they are. This is a big step toward mitigating risk of a data breach because you know what you’re dealing with and can triage the most important apps first. These important apps may include: 1. Systems of record or at least business-critical apps. This could be your salesforce automation, renewal and billing, or salary and performance tracking app, to name a few; or 2. Apps that contain sensitive data, such as a big data app that you use to crunch medical clinical trial results, a business intelligence app that has your company’s non-public financial information, or a software development app that contains your source code, roadmap, and bug queue. Did you know that, in addition to being apps that contain sensitive data, each of these is an example of an app that enables sharing?
Second, beyond discovering apps and understanding their risk, it’s critical to know how those apps are being used and what data are in them. Answering questions such as “Who’s uploading ePHI to any cloud app?,” “Is anybody downloading PII to a mobile device?,” and “Who’s sharing sensitive content outside of the company?” will give you a huge leg up on the problem. Once you know, you can address the issues, whether by having a conversation with users or the line-of-business owner, blocking an activity like sharing outside of the company via policy, or encrypting certain data when it is uploaded to the cloud.
Finally, get support. We have a tremendous resource in the Cloud Security Alliance. If you are a big cloud user, join this organization. Check out their Cloud Controls Matrix as one way to evaluate apps. And reach out to your vendors. We have a treasure trove of best practices from customers who have experienced similar challenges.
Are data breaches serious business? Absolutely. Can cloud have a multiplying effect on the probability of a data breach? According to the respondents in this survey, yes. Is the sky falling end nigh? Definitely not. Between understanding your cloud app environment, reaching out for a little help from your friends, and charting your course, you can offset the cloud risk multiplier. You got this.