The Cloud Multiplier Effect on Data Breaches
June 4, 2014 | Leave a Comment
by Krishna Narayanaswamy, Chief Scientist at Netskope
All of the things we love about cloud and SaaS apps can also put us at risk of a data breach. First, we love that we can get our favorite apps quickly and easy without having to answer to anyone. This leads to massive app growth, usually of inherently low quality and un-secured apps, and often outside of the purview of IT and security teams. Second, we can get access to our favorite apps from any device. And each of us often does from three or more devices. This increases the surface area of a potential breach. And finally, today we can share content to and from those apps with greater speed than ever before, which means it’s easy for content to get out of our control. Each of these examples can be thought of as multipliers, or factors that can increase the probability of a data breach.
To take the pulse of the market and quantify this idea, we asked the Ponemon Institute, a foremost expert in data breach research, to conduct a study on the topic. Today we released the results of that study in a first-of-its-kind report called “Data Breach: The Cloud Multiplier Effect.”
The study, which is based on a survey of 613 IT and security professionals, finds that increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3x. It also revealed other key findings, including:
- 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them;
- 66 percent of respondents believe that their organization’s use of the cloud diminishes their ability to protect sensitive or confidential information; and
- 72 percent of respondents don’t believe that their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.
Does this mean we should pick up our marbles and go home when it comes to cloud? Not even, and I would submit that there are some pretty simple things we can do to mitigate this multiplier effect. Here are four:
The first is to figure out what apps you have and prioritize them by the extent to which they house, or can be a gateway to, sensitive content.
Second, get support. The Cloud Security Alliance is a great resource, and lives and breathes issues like this. The Cloud Controls Matrix is a great starting point for how to think about apps and their inherent risk.
Of course, inherent risk is one dimension. So a third is to think about usage. Which of your top apps enable downloading? Sharing? Probably more than you think. We have noticed in the Netskope Active Platform that people share in app categories ranging from software development to business intelligence to CRM. Sharing content isn’t just something that happens in cloud storage/file sharing apps.
The fourth is to triage. Build a sequenced plan, or roadmap. Tackle the most critical things first. Like that software development app that has a zillion users and also happens to be rated “high risk.” Yeah, the one that houses your source code, roadmap, bug queue, agile sprint project plan, and internal engineering discussions. Or that CRM app in which your customer service professionals are mistakenly entering your company’s customers’ electronic personal health information.
So, yes, data breaches are serious business, and if the 613 respondents to the Ponemon Institute survey are right, cloud creates a multiplier effect that can as much as triple the expected economic impact of a breach. But there is a way forward, and it’s very do-able.