We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
RSS FeedWhite Papers

White Paper Download

The insider threat of Bring your own Cloud (BYOC)

Independently conducted by Ponemon Institute

Category: Cloud computing

Date: , 17:18

Company: Skyhigh Networks

When it comes to the risks posed by BYOC, organisations are operating in unchartered waters. While 80 percent of respondents are very familiar or familiar with the term Bring Your Own Device (BYOD), only 20 percent are very familiar or familiar with the term BYOC. We conclude that respondents may not be familiar with the term but they do have the belief that such practices could pose serious security risks.

Download this white paper to fully understand the new BYOC strategy.

Poneman The Insider Threat of Bring Your Own Cloud (BYOC) N S T I T U T E Independently conducted by Ponemon Institutellc Publication Date: January 2014 Ponemon Institute© Research Report The Insider Threat of Bring Your Own Cloud (BYOC) Ponemon Institute, January 2014 Part 1. Introduction Sponsored by Skyhigh Networks, Ponemon Institute is pleased to present the results of The Insider Threat of Bring Your Own Cloud (BYOC) study. The purpose of this research is to better understand how the security processes of companies are affected when employees are allowed to use public or private third-party cloud services to perform certain job roles. For purposes of this study, we defined BYOC as employees' use of consumer-grade public cloud services in the workplace without the IT's function awareness or permission. Typically, the employee uses these services to perform document collaboration and sharing with other employees or third parties. More than 400 IT and IT security practitioners were surveyed for this research. Seventy-seven percent report to either the information technology function (64 percent) or IT security (13 percent). When it comes to the risks posed by BYOC, organizations are operating in unchartered waters. While 80 percent of respondents are very familiar or familiar with the term Bring Your Own Device (BYOD), only 20 percent are very familiar or familiar with the term BYOC. We conclude that respondents may not be familiar with the term but they do have the belief that such practices could pose serious security risks. Exacerbating this risk is the lack of certainty as to how pervasive BYOC is in the workplace. The study also reveals that in many cases, the company does not know what information is exposed, how it is used and with whom it is being shared. Specifically, 64 percent of respondents say their organizations are not able to confirm if employees are using their own personal cloud services in the workplace. These findings are consistent with a Skyhigh report that describes the cloud as the new wild wild west. Based on aggregated data of three million individuals, the Cloud Adoption & Risk Report cites that on average 545 cloud services are in use by organizations in a variety of industries. The highest number of cloud services in use by an organization is 1,769. Part 2. Key findings BYOC is believed to be pervasive. Although many are learning about the term "BYOC" for the first time, they know it exists. Sixty-two percent of respondents say to some degree employees are using their own DropBox, Google Docs and/or Evenote accounts (plus many other public cloud services) in the workplace. However, only 26 percent of respondents say they permit this practice. Why do employees ignore their workplace policies and continue to use public cloud services? The main reason is that those in charge do not want to stop employees who use their own private cloud services or apps. This is followed by the difficulty organizations encounter when trying to stop the use of BYOC services or apps. Despite the risk, 35 percent of respondents say leadership does not view this as a data security priority. Lack of control or supervision over personal use of cloud services puts organizations at risk. Among those organizations that allow employees to access cloud services using their own accounts, it is controlled mostly by supervisory or managerial oversight (49 percent). This is followed by unofficial or tacit policy, including informal conventions known among employees. Many organizations represented in this research do not know how such access is controlled. Ponemon Institute© Research Report Page 1 BYOC data risks will increase. Fifty-five percent of respondents (20 percent of respondents + 35 percent of respondents) say the BYOC risk is increasing and affects data security risks. The same percentage (55 percent) of respondents says it will increase significantly or to some degree in the next 24 months. However, 28 percent cannot determine if the security of BYOC is affected and 26 percent cannot determine if data risks will increase. The biggest risks posed by BYOC are the loss or theft of intellectual property, compliance violations and regulatory actions and loss of control over end user actions BYOC presents new and unique security challenges. Security measures are difficult to accomplish because of BYOC. For example, 85 percent of respondents say it makes it harder to manage access governance and privileged access to sensitive and confidential data. This is followed by the inability to scan user accounts and documents because of privacy issues (75 percent of respondents) and to ensure data compliance obligations and requirements are met (73 percent of respondents). The risk of BYOC is linked to weak security over public cloud usage. Most respondents say they are not confident or have no confidence that they could stop or prevent data loss in the BYOC environment. The primary reason could be attributed to the lack of BYOC security measures and difficulty in addressing the insider threat to data in the cloud. If they do have the confidence to stop data loss, it is for two reasons: they trust their employees to know what to do to prevent data loss and/or they have compensating controls that limit BYOC data risks. The ability to comply with regulations also seems to be dependent upon trustworthy employees and compensating controls End-users are often most responsible for BYOC security. IT security is often not involved in making sure employees are practicing safe BYOC. The end-user is considered most responsible for the security of BYOC followed by business unit managers. Employees are believed to be more productive with BYOC. One reason is the perception that employees' use of public cloud services is good for productivity and to restrict its use for security reasons would be unpopular. Only 25 percent of respondents say they have stopped employees from using personal accounts to access public cloud services for work-related activities, such as document collaboration or sharing Ponemon Institute© Research Report Page 2 Part 3. Recommendations What can companies do to address the BYOC risk? Following are recommendations: ? According to the findings, most companies do not know the extent of employees' use of public cloud services. It is important to know how to find unauthorized cloud services in use on your internal network. ? Another important step is to understand how to review and audit your IT cloud services to ensure that security, compliance and governance protocols are in place. ? If the company permits BYOC, make sure that policies clearly explain employees' responsibilities to minimize the risks. Have guidelines as to what public cloud services are acceptable based on the risks in the use of these services. ? Assess whether the use of public cloud services actually serves a business purpose. If not, limit their use and communicate these restrictions in training and awareness programs. Establish mechanisms to monitor compliance and extend data loss prevention policies to the cloud. ? Determine if security controls are too strict and prevent employee creativity and productivity. Align the needs of the business with the appropriate security controls. Ponemon Institute© Research Report Page 3 Part 4. Key findings BYOC is believed to be pervasive. Although many are learning about the term "BYOC" for the first time, they know it exists. As shown in Figure 1, 62 percent of respondents say to some degree employees are using their own DropBox, Google Docs and/or Evenote accounts (plus many other public cloud services) in the workplace. Figure 1. Do employees use public cloud services in the workplace? 35% 30% 25% 20% 15% 10% 5% 0% 30% 1 23% 19% 15% 9% : ? I i 4% 1 Yes, with Yes, very likely Yes, likely No, unlikely Never Unsure certainty However, Figure 2 reveals that only 26 percent of respondents say they permit this practice. Figure 2. Employees are permitted to use personal accounts to access public cloud services 70% 60% 50% 40% 30% 20% 10% 0% 60% 26% 14% Yes No Unsure Ponemon Institute© Research Report Page 4 Why do employees ignore their workplace policies and continue to use public cloud services? As shown in Figure 3, the main reason is that those in charge do not want to stop employees who use their own private cloud services or apps. This is followed by the difficulty organizations encounter when trying to stop the use of BYOC services or apps. Despite the risk, 35 percent of respondents say leadership does not view this as a data security priority. Figure 3. Reasons employees are not stopped from using public cloud services More than one response permitted Appeasement of employees who like using their own private cloud services or apps Difficult to stop the use of BYOC services Unable to monitor BYOC activities Business units do not discourage the use of document sharing/productivity tools that are free Organizational leaders do not view this as a data security priority Acceptable or unacceptable use policies are not enforced Unsure 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute© Research Report Page 5 Lack of control or supervision over personal use of cloud services puts organizations at risk. Among those organizations that allow employees to access cloud services using their own accounts, it is controlled mostly by supervisory or managerial oversight (49 percent), as shown in Figure 4. This is followed by unofficial or tacit policy, including informal conventions known among employees. Many organizations represented in this research do not know how such access is controlled. Figure 4. How permission to use public cloud services is communicated and controlled More than one response permitted Supervisory or managerial oversight of subordinates and what they do online Unofficial or tacit policy, including informal conventions known among employees Don't know General policy about the employee's responsibility to protect the organization's data Specific policy dedicated to the employee's acceptable use of public cloud services Employee training and awareness activities on the use of public cloud services Use of black lists Specialized technologies for controlling access and use of public cloud services Use of white lists Other B 5% 45% 41% 33% 21% 19% 16% 15% 15% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute© Research Report Page 6 BYOC data risks will increase. According to Figure 5, 55 percent of respondents (20 percent of respondents + 35 percent of respondents) say the BYOC risk is increasing and affects data security risks. The same percentage (55 percent) of respondents says it will increase significantly or to some degree in the next 24 months. However, 28 percent cannot determine if the security of BYOC is affected and 26 percent cannot determine if data risks will increase. BYOC and data jrity risks Significant increase Some increase No increase Cannot determine ?Affects of BYOC on data security risks today ?Change in BYOC data risks over the next 24 months The biggest risks posed by BYOC are the loss or theft of intellectual property, compliance violations and regulatory actions and loss of control over end user actions, as shown in Figure 6. Figure 6. BYOC risks of most concern Three choices permitted Loss or theft of intellectual property Compliance violations and regulatory actions Loss of control over end user actions Malware infections that unleash a targeted attack Contractual breaches with customers or business partners Diminished customer trust Data breach requiring disclosure and notification to victims Increased customer churn Revenue losses Lawsuits 25% 21% 20% 18% 63% 59% 55% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute© Research Report Page 7 BYOC presents new and unique security challenges. Figure 7 lists the security measures that are difficult to accomplish because of BYOC. For example, 85 percent of respondents say it makes it harder to manage access governance and privileged access to sensitive and confidential data. This is followed by the inability to scan user accounts and documents because of privacy issues (75 percent of respondents) and to ensure data compliance obligations and requirements are met (73 percent of respondents). Figure 7. BYOC security challenges created by the inability to do the following tasks More than one response permitted Manage access governance and privileged access to sensitive data Scan user accounts and documents because of privacy issues Ensure data compliance obligations and requirements are met Know the number of imaged copies of data transmitted to a public cloud Turn-off public cloud service providers if they have poor security practices Control what end users do or can't do in the public cloud environment Ensure the public cloud environment has a sufficient security infrastructure Control the transmission of data from the workplace to a private cloud Remove sensitive information after it is transmitted to a public cloud 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Ponemon Institute© Research Report Page 8 The risk of BYOC is linked to weak security over public cloud usage. Most respondents say they are not confident or have no confidence that they could stop or prevent data loss in the BYOC environment (Figure 8). The primary reason could be attributed to the lack of BYOC security measures and difficulty in addressing the insider threat to data in the cloud. Figure 8. How confident are 50% you 47% Very confident Confident Not confident No confidence ?Stop or prevent data loss in the BYOC environment ? Ensure compliance requirements in the BYOC environment If they do have confidence, it is for two reasons: first, they trust their employees to know what to do to prevent data loss and/or they have compensating controls that limit BYOC data risks, as shown in Figure 9. The ability to comply with regulations also seems to be dependent upon trustworthy employees and compensating controls. Figure 9. Reasons for being confident in stopping data loss in BYOC Employees are trustworthy and know what to do to prevent data loss Organization has compensating controls that limit BYOC data risks Don't know IT department has the ability to regulate employee's usage of public cloud services Other 59% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute© Research Report Page 9 End-users are often most responsible for BYOC security. IT security is often not involved in making sure employees are practicing safe BYOC. Figure 10 reveals that the end-user is considered most responsible for the security of BYOC followed by business unit managers. Figure 10. Who is most responsible for BYOC security, compliance and governance? End-users Business IT Information Compliance Legal Internal unit department security audit managers Other Employees are believed to be more productive with BYOC. One reason is the perception that employees' use of public cloud services is good for productivity and to restrict its use for security reasons would be unpopular. As shown in Figure 11, only 25 percent of respondents say they have stopped employees from using personal accounts to access public cloud services for work- related activities, such as document collaboration or sharing. Figure 11. Have employees been stopped from BYOC practices? 50% 40% 30% 20% 10% 0% 41% 34% 25% Yes No Unsure Ponemon Institute© Research Report Page 10 Part 5. Methods A random sampling frame of 13,557 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown in Table 1, 441 respondents completed the survey. Screening and reliability checks removed 32 surveys. The final sample was 409 surveys (or a 3.0 percent response rate). Table 1. Sample response Freq Pct% Sampling frame 13,557 100.0% Total returns 441 3.3% Rejected and screened surveys 32 0.2% Final sample 409 3.0% Pie Chart 1 reports the respondent's position level within the organization level within participating organizations. By design, 56 percent of respondents are at or above the supervisory levels. Pie Chart 1. Current position within the organization 5% 2% ? Executive/VP ? Director ? Manager ? Supervisor 21% "Technician ? Staff/Admin ? Contractor 16% Ponemon Institute© Research Report Page 11 Ponem n Pie Chart 2 shows 64 percent of respondents reporting to Information technology and 13 percent are reporting to IT Security. Pie Chart 2. Reporting channel Pie Chart 3 reports a total of 15 industry segments of respondents' organizations. This chart identifies financial services (19 percent) as the largest segment, followed by public sector (16 percent) and health and pharmaceutical (13 percent). Pie Chart 3. Industry distribution of respondents' organizations ? Financial services ? Public sector Health & pharmaceuticals ? Retail ? Services Industrial Technology & software ? Hospitality ? Transportation ? Education & research Energy & utilities ? Communications Consumer products Entertainment & media Other Ponemon Institute© Research Report Page 12 Part 6. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute© Research Report Page 13 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in October 2013. Sample response Freq Pct% Total sampling frame 13,557 100.0% Total survey returns 441 3.3% Rejected or screened surveys 32 0.2% Final sample 409 3.0% Bring Your Own Cloud (BYOC). This term refers to employees' use of consumer-grade public cloud services in the workplace. An example includes the use of an employee's personal DropBox or Google Docs accounts to perform document collaboration and sharing with other employees or third parties. In many cases, the employee's organization does not know what information is exposed, how it is used and whom it is being shared with._ Part 1. General Questions Q1a. How familiar are you with the term Bring Your Own Device (BYOD)? Pct% Very familiar 27% Familiar 53% Not familiar 13% No knowledge 7% Total 100% Q1b. How familiar are you with the term Bring Your Own Cloud (BYOC)? Pct% Very familiar 2% Familiar 18% Not familiar 54% No knowledge 26% Total 100% Q2. What one statement best describes your view about BYOD and BYOC security risks within your organization? Pct% BYOD and BYOC pose different security risks 48% BYOD and BYOC pose identical security risks 13% BYOD and BYOC pose similar, but not identical, security risks 26% Don't have a view 13% Total 100% Q3. What one statement best describes your view about the relative difficulty in mitigating or moderating security risks posed by BYOD and BYOC within your organization? Pct% BYOD security risks are more difficult to manage than BYOC security risks 19% BYOC security risks are more difficult to manage than BYOD security risks 31% BYOD and BYOC security risks are equally difficult to manage 21% Unsure 29% Total 100% Q4. Do employees in your organization ever use their own DropBox, Google Docs and/or Evenote accounts (plus many other public cloud services) in the workplace? Pct% Yes, with certainty 9% Yes, very likely 30% Yes, likely 23% No, unlikely 19% Never 4% Unsure 15% Total 100% Ponemon Institute© Research Report Page 14 Ponem n Q5a. Does your organization permit employees to use their personal accounts to access public cloud services in the workplace? Pct% Yes 26% No 60% Unsure 14% Total 100% Q5b. If yes, how is permission communicated and controlled? Please check all that apply. Pct% Supervisory or managerial oversight of subordinates and what they do online in the workplace 49% Unofficial or tacit policy, including informal conventions known among employees 45% Don't know 41% General policy about the employee's responsibility to protection the organization's data 33% Specific policy dedicated to the employee's acceptable use of public cloud services 21% Employee training and awareness activities on the use of public cloud services in the workplace 19% Use of black lists, a list containing all private cloud services that are not permitted in the workplace 16% Use of white lists, a list containing all private cloud services that are permitted in the workplace 15% Specialized technologies for controlling access and use of public cloud services in the workplace 15% Other 5% Total 259% Q5c. If no, how certain are you that employees are not using their own personal cloud services in the workplace? Pct% Very certain 16% Certain 20% Not certain 64% Total 100% Q5d. [If Q5a = No and Q4 = Yes] Why are employees continuing to use public cloud services even though the organization does not condone their use in the workplace? Please select all that apply. Pct% Appeasement of employees who like using their own private cloud services or apps 68% Difficult to stop the use of BYOC services or apps 58% Unable to monitor BYOC activities (or lack of visibility) 49% Business units do not discourage the use of document sharing and other productivity tools that are free 46% Organizational leaders do not view this as a data security priority 35% Acceptable or unacceptable use policies are not enforced 34% Unsure 7% Total 297% Q6a. In your opinion, how does BYOC affect data security risks within your organization today? Pct% Significant increase 20% Some increase 35% No increase 27% Cannot determine 28% Total 110% Q6b. In your opinion, how will BYOC data risks change over the next 24 months? Pct% Significant increase 32% Some increase 23% No increase 19% Cannot determine 26% Total 100% Ponemon Institute© Research Report Page 15 . in me coniexi ot dtuo, wnat speciTic aaia secuniy nsks concern your organization ine mosir Please select three choices. Pct% Loss or theft of intellectual property 63% Compliance violations and regulatory actions 59% Loss of control over end user actions 55% Malware infections that aim to unleash a targeted attack 25% Contractual breaches with customers or business partners 21% Diminished customer trust 20% Data breach requiring disclosure and notification to victims 18% Increased customer churn (turnover) 16% Revenue losses 13% Lawsuits 10% Total 300% Q8a. Does BYOC present a new or unique set of challenges to your organization's IT security, compliance and governance efforts? Pct% Yes 66% No 34% Total 100% Q8b. If yes, what are these new or unique BYOC challenges? The inability to ... Pct% Manage access governance and privileged access to sensitive or confidential data 85% Scan user accounts and documents because of privacy issues 75% Ensure data compliance obligations and requirements are met 73% Turn-off public cloud service providers if there is a suspicion that they have poor security practices 69% Know the number of imaged copies of data transmitted to a public cloud 69% Control what end users do or can't do in the public cloud environment 60% Ensure the public cloud environment has a sufficient security infrastructure 58% Control the transmission of data from the workplace to a private cloud 55% Erase or remove confidential or sensitive information after it is transmitted to a public cloud 51% Total 595% Q9a. How confident are you that your organization can stop or prevent data loss in the BYOC environment? Pct% Very confident 11% Confident 23% Not confident 43% No confidence 23% Total 100% Q9b. If very confident or confident, why? Pct% Our employees are trustworthy and know what to do to prevent data loss 59% Our organization has compensating controls that limit BYOC data risks 56% Don't know 35% Our IT department has the ability to regulate employee's usage of public cloud services 18% Other 6% Total 174% Q10a. How confident are you that your organization can ensure compliance requirements in the BYOC environment (such as PCI, HIPAA, GLBA and many others)? Pct% Very confident 9% Confident 21% Not confident 47% No confidence 23% Total 100% Ponemon Institute© Research Report Page 1 Q1 Ob. If very confident or confident, why? Pct% Our employees are trustworthy and know what to do to ensure compliance 55% Our organization has compensating controls that limit BYOC data risks 54% Don't know 36% Our IT department has the ability to regulate employee's usage of public cloud services 18% Other 7% Total 170% Q11. If necessary, could your organization stop the employee's use of public cloud services in the workplace that are knowingly insecure? Pct% Yes, with certainty 11% Yes, most likely 15% Yes, likely 21% No 53% Total 100% Q12. Have you or your organization ever stopped an employee from using his or her personal account to access public cloud services for work-related activities (such as document collaboration or sharing)? Pct% Yes 25% No 41% Unsure 34% Total 100% Q13. Who is most responsible for ensuring employees (end users) are not violating the organization's security, compliance and governance policies in the BYOC environment? Please select only one choice. Pct% End-users 43% Business unit managers 25% IT department 15% Information security 8% Compliance 3% Other 3% Legal 2% Internal audit 1% Total 100% Q14. How involved is the organization's IT security group or department in ensuring the safe/secure use of BYOC by employees? Pct% Fully involved 9% Partially involved 19% Minimally involved 28% Not involved 44% Total 100% Q15. In your opinion, how important is BYOC to achieving high employee productivity? Pct% Very important 23% Important 25% Not important 22% Irrelevant 30% Total 100% Ponemon Institute© Research Report Page 17 Part 2. Demographics & Organizational Characteristics D1. Position level of respondents Pct% Executive/VP 2% Director 17% Manager 21% Supervisor 16% Technician 28% Staff/Admin 11% Contractor 5% Total 100% D2. Reporting channel Pct% CEO/Executive committee 1% COO/Operations 3% Finance & accounting 4% Information technology (IT) 64% IT security 13% Physical security 4% Risk management 5% Compliance 3% Legal 2% Internal audit 1% Total 100% D3. Industry sectors Pct% Agriculture & food services 1% Communications 2% Consumer products 2% Defense & aerospace 1% Education & research 3% Energy & utilities 3% Entertainment & media 2% Financial services 19% Health & pharmaceuticals 13% Hospitality 4% Industrial 6% Public sector 16% Retail 9% Services 8% Technology & software 5% Transportation 4% Other 2% Total 100% D4. Organizational headcount (size) Pct% Less than 100 5% 101 to 500 14% 501 to 1,000 18% 1,001 to 5,000 17% 5,001 to 10,000 15% 10,001 to 25,000 14% 25,001 to 75,000 10% More than 75,000 7% Total 100% Ponemon Institute© Research Report Page 1 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute© Research Report Page 19

You must have an account to access this white paper. Please register below. If you already have an account, please login.

Login

Not registered?Register now

Forgot password?

White paper download

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *