A first European ‘Cloud Adoption and Risk Report’ was released by Skyhigh Networks to coincide with the company’s move into the region. The report analyses usage data from more than one million users across more than 40 companies spanning financial services, healthcare, high technology, manufacturing, media, and professional service industries to quantify the use of cloud services and the security risk that they pose.
One finding was that enterprises used an average of 588 cloud services. Even if one were to ignore the EU data residency requirements, only 9pc of the cloud services in use provide enterprise-grade security capabilities, while the remaining 91 per cent (that is, more than nine out of ten) pose according to the cloud firm medium to high security risks to organisations. From a data privacy and data residency perspective, only 1pc of the cloud services in use both offer enterprise-grade security capabilities and store data in Europe’s jurisdictional boundaries. The remaining 99pc, either store data in countries where data privacy laws are less stringent or don’t have enterprise-grade security capabilities, or both.
Shadow IT
Much of the cloud adoption within European organisations occurs under the radar of the CIO or CISO – leading to a situation where shadow IT is widespread and uncontrolled. The ease with which cloud applications can now be consumed by employees means that there is often little consideration for the security implications or impact on wider business policies. When CIOs examine the use of cloud services across the organisation, they generally find shadow IT is 10 times more prevalent than they initially assumed.
Findings from the report include:
· Only 5pc of cloud services in Europe are ISO 27001 certified, posing compliance issues for those organisations unaware that their employees are using uncertified services
· 25 of the top 30 cloud services in the collaboration, content sharing, and file sharing categories were based in countries (United States, Russia, China) where the privacy laws are far less stringent compared to Europe
· 49 services in use are tracking the browsing behaviour of employees on the internet. This exposes organsiations to the increasingly prevalent watering hole attack
Rajiv Gupta, CEO Skyhigh Networks, said: “Cloud services certainly enable agile, flexible, and efficient businesses, and employees should be encouraged to use services that best suit their working style and enhance their productivity. However, it is evident from this study that too many employees are still unaware of the risks associated with some cloud services, and could even be jeopardising the overall security position of their organisation. Of the services that we analysed, 72 per cent stored data in the US – which could have legal and compliance implications for certain organisations in Europe. The bottom line is that businesses need to get smarter about cloud, and IT needs to develop greater understanding of the cloud services in use and the risk they present, and play a leadership role in educating users and guiding the organisation to securely embrace the cloud.”
Europe
Charlie Howe, EMEA director of Skyhigh Networks, is leading the company’s expansion into Europe. Skyhigh says it supports the entire cloud adoption lifecycle to identify services that are enterprise-ready. These risk ratings are part of Skyhigh’s CloudTrust, which was developed with the Cloud Security Alliance (CSA). The cloud firm says its Skyhigh Analyze identifies usage patterns to enable new cloud services, better manage subscriptions, and highlight anomalous user activity.
Howe said: “Europe is facing something of a crossroads with regard to cloud adoption and security. The discrepancy between the perceived and actual number and risks of services in use at each organisation is worrying to say the least. CIOs need to get a better grip on this if they are to avoid the huge reputational and financial repercussions of poor data security. While blanket bans on cloud services were once the only option, CIOs now have the tools and services that will enable them to empower employees to use the cloud services that grow the business, while ensuring compliance with internal and external data privacy, security, and governance policies.”
The full report, including ratings of the most popular cloud applications in each type of service, is available here: http://www.skyhighnetworks.com/wp-content/uploads/2014/04/Skyhigh-Cloud-Adoption-Risk-Report-EU-0414.pdf
