Bring Your Own Cloud (BYOC) can result in the most costly data breaches involving high-value IP, according to a new report commissioned by Netskope and conducted by Ponemon Institute. Forty-five percent of all software applications used by organizations are in the cloud, but only 22.5 percent are visible to IT.
The study, released on Wednesday, explores whether a data breach in the cloud can result in a larger and more costly incident. The cloud multiplier effect calculates the increase in the frequency and cost of data breach based on the growth in the use of cloud and uncertainty as to how much sensitive data is in the cloud.
“If you look at most CIOs and CSOs today, they look around their company and they have this realization that the cloud is sort of permeated throughout their company,” Sanjay Beri, CEO of Netskope tells the WHIR. “They also know that 90 percent of these apps are not brought in by corporate IT, they’re brought in by departments, individuals, groups and so on. At a high-level, if you’re a CIO at a company this realization that the cloud is in your company and hasn’t got in through you or your normal controls or processes and so on, the question is really what do you do.”
Considering the cloud multiplier effect, the report shows that if a data breach involves the theft of high value information, such as product designs, legal documents or source code, instead of an average cost of $2.99 million, the breach could cost as much as $4.16 million. Based on a data breach size of 100,000 or more compromised records (assuming each compromised record costs $201.80), instead of an average cost of $2.37 million, it could be as much as $5.32 million.
“We find that the average enterprise has over 400 cloud apps,” Beri says. “The customer isn’t just using Dropbox and Box and so on, they’re using 47 marketing apps on average, they’re using 27 cloud storage apps, and so the backdrop that our cloud report shows is that the cloud is all over the place in every company.”
This uncertainty comes as 62 percent of respondents report to be unsure that cloud services are thoroughly vetted prior to deployment, and 69 percent believe there is a failure to be proactive in determining information that is too sensitive to be stored in the cloud.
Being proactive is something that Beri sees as an inevitability of the BYOC movement, and part of the changing approach to how enterprise IT security teams monitor cloud usage and sensitive data stored in the cloud.
“I think one of the things that we see coming up is enterprises and CIOs not only reacting to cloud usage but having a proactive policy on it,” Beri says. “I think people will be more on the front foot now and taking a proactive approach versus a reactive one. They know that every business application is spreading to every business unit.”
“In the past companies have just shut things down,” Beri says. “You can’t go in and say let me just shut down Dropbox. You can but even when you do people go find another cloud storage app.I think there’s a mentality change where it’s not about blocking applications, it’s about blocking risky behaviours.”
Aside from Netskope’s products, like Netskope Active which offers real-time analytics and policies for any cloud app, solutions like FireLayers policy-based security platform are designed to help enterprise IT keep on top cloud-use in their organizations.
The report also shows mistrust in the security practices of cloud providers. Seventy-two percent of respondents believe that their cloud provider would not notify them in a timely manner if IP or business confidential data was lost, and 69 percent do not believe their cloud providers have the necessary security technologies in place.
For hosting providers, Beri says this study can help them understand how customers feel about the exposure cloud brings them. Hosts “need to take control of it and really take some security measures,” he says.
Jamie Barnett, VP of marketing at Netskope says, “It’s helpful for hosting providers to understand what some of the risks are so they know what kind of enterprise-ready services they can be layering on top of their services to their app customers. Things like compliance services and security services that will help them not only mitigate the risks but also the cloud multiplier effect.”
“I never look at this study or our previous cloud reports and go ‘Oh no, we can’t do anything,” Beri says. “The only thing you should take away is that enterprise IT needs to do something differently. They can’t just rely on their traditional solutions, they need to look at different solutions.”