Security Gaps as European Companies Adopt Cloud Services

A study of companies within the European Union (EU) exposes a lack of readiness for EU data laws and shows organisations are struggling to enforce acceptable usage policies, says Skyhigh Networks.

The cloud visibility and enablement company has released its latest quarterly European Cloud Adoption and Risk Report, which analyses real-life usage data from 1.6m European users.

In Europe, the number of cloud services in use by the average company increased 23%, rising from 588 in the first quarter of 2014 to 724 in Q3. However, not all of these services are ready for the enterprise. The report found that only 9.5% of all services meet the most stringent security requirements including strong password policies and data encryption.

The report also reveals lack of conformance to the EU Data Protection Directive, particularly with regards to the transfer of personally identifiable information outside Europe. Skyhigh found that 74.3% of the cloud services used by European organisations do not meet the requirements of the current privacy regulations, with data being sent to countries without adequate levels of data protection. With stricter policies and harsher penalties set to come into force soon, organisations have just a short window to address these issues.

“The growth in cloud services being used in Europe is testament to the benefits users see in the services on offer,” said Rajiv Gupta, chief executive officer (CEO), Skyhigh Networks. “On the other hand, the IT department needs to make sure that these services don’t put the organisation’s intellectual property at risk. This report analyses real-world cloud usage data to shine a light on the extent of Shadow IT.”

Echoing the last report, much of the adoption of cloud services still remains under the radar of IT departments with 76% of IT professionals not knowing the scope of Shadow IT at their companies but wanting to know. As such, a key problem that IT teams face is the enforcement of an acceptable use policy. The report found that IT personnel are often surprised when it is discovered that cloud services that they believe to have been blocked are actually being used by employees.

As part of the study, Skyhigh surveyed IT professionals to understand their expected block rates for certain cloud services, and then compared this to actual block rates measured in the wild. The resulting ‘cloud enforcement gap’ was surprising, for example 44% of IT professionals intended to block YouTube, but only 1% of organisations blocked the service comprehensively.

In terms of trends, the report found that 80% of all corporate data uploaded to the cloud is sent to just 15% of cloud services, which makes it easier for IT teams to prioritise security and risk analysis. The top destination for corporate data in Europe is Microsoft Office 365, followed by Salesforce. However, a long tail of services lies below these top 15 and this is where 73% of the compromised accounts, insider threats and malware originate.

“The gap between perception and reality uncovered by this study is worrying, as so much corporate data is being uploaded to cloud services that IT teams believe they have blocked,” said Gupta.

“It only takes one misstep to cause a serious security or compliance threat to an organisation. As such, mechanisms should be in place not only to discover which cloud services are being used, but also to analyse the risk profile of these services and understand the true implications for enterprise data security.”


Related reading