Broadly shared files represent a high security risk for organizations, as 1 in 10 contain sensitive corporate data, Blue Coat’s Shadow Data Report for the second half of 2015 reveals.
According to the report (PDF), many organizations are not aware of the fact that 26 percent of documents shared in cloud services are broadly shared. Employees are increasingly using cloud apps to share information within the organization and with partners and customers, which creates a threat otherwise known as “Shadow Data”.
Shadow data includes sensitive information uploaded and shared via cloud apps without prior consent from the IT security team. This information puts corporate data at risk, especially when it comes to broadly shared documents, which are accessible to any employee within the organization, as well as to contractors and partners, and which can sometimes be publicly accessible via search engines.
According to Blue Coat, the concept of Shadow Data is different from that of Shadow IT, which involves the use of IT systems and applications, including SaaS apps, without the knowledge or consent of a company’s IT department. According to a recent study from Cisco, large enterprises use on average 1,220 individual public cloud services, 25 times more than IT professionals estimate.
According to Blue Coat’s report, compiled by Elastica’s Cloud Threat Labs team, one in ten broadly shared documents contains sensitive data or information that is subject to compliance regulations. The researchers found that 48 percent of such sensitive data included source code, 33 percent included Personally Identifiable Information (PII), and 14 percent contained Protected Health Information (PHI), while 5 percent included Payment Card Industry (PCI) data.
The study, which analyzed 63 million enterprise documents within leading cloud applications, including Microsoft Office 365, Google Drive, Salesforce, Box and others, found that 23 percent of documents were shared publicly, meaning that anyone with a link could access them.
Researchers also found that PHI dominates the healthcare and pharmaceutical industries, accounting for 52 percent of all sensitive documents. Last month, Verizon’s 2015 Protected Health Information Data Breach Report revealed that 90 percent of industries are affected by patient data breaches, although most organizations are not even aware of that.
Shadow data poses significant financial risks to enterprises, and Elastica estimates a $1.9 million potential financial impact on the average organization from the leakage of sensitive cloud data. The potential impact reaches as high as $12 million when it comes to healthcare organizations, and tops $5.9 million when it comes to the education sector, Blue Coat says.
According to the report, 2 percent of cloud users were responsible for all data exfiltration, data destruction, and cloud account takeover attempts detected. The study also revealed that data exfiltration was the most serious threat when shadow data was involved, at 77 percent, with data destruction and account takeover following at 17 percent and 6 percent, respectively.
The most commonly used method for data exfiltration was anomalous frequent sharing, at 41 percent, followed by anomalous frequent emails Sent, at 18 percent. Anomalous frequent previews made it to top three with 3 percent, with Blue Coast suggesting that users might be taking screenshots of sensitive data and share these instead of the actual documents.
When it comes to the most popular cloud business applications, Microsoft Office 365 landed at the top in the second half of 2015, followed by Twitter and YouTube. LinkedIn, Google Apps, Salesforce, AWS, Dropbox, Skype, and Box round up the top 10.
The analysis also revealed that companies now have, on average, 812 cloud applications running, which marks an increase from the 774 applications spotted half a year ago. Microsoft Office 365 was the leading collaboration and sharing app in the six-month period, followed by Google Apps, Dropbox, Box, and Evernote.
To improve their security in the shadow data segment, enterprises should start by identifying risky apps, thus ensuring that employees use only secure cloud apps and services. Additionally, companies can educate employees on the security risks of indiscriminately sharing documents both within the organization and with external stakeholders, and can employ a full-function CASB solution that provides them with visibility into cloud-shared data, to know exactly what needs protected.