Thousands of data loss incidents occur every month in the cloud, leaving most at risk of sensitive data loss or regulatory non-compliance
Data is distributed broadly across devices and the cloud, highlighting critical gaps for enterprise security, according to McAfee’s research study titled Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report. 79% of companies surveyed store sensitive data in the public cloud. While these companies approve an average of 41 cloud services each, up 33% from last year, thousands of other services are used ad-hoc without vetting. In addition, 52% of companies use cloud services that have had user data stolen in a breach. By leaving significant gaps into the visibility of their data, organizations leave themselves open to loss of sensitive data and to regulatory non-compliance.
Cloud services have replaced many business-critical applications formerly run as on-premises software, leading to a migration of sensitive data to the cloud. Use of personal devices when accessing cloud services, the movement of data between cloud services, and the sprawl of high-risk cloud services drive new areas of risk for companies using the cloud. For organizations to secure their data they need a thorough understanding of where their data is and how it is shared—especially with the rapid adoption of cloud services. As part of this report, McAfee surveyed 1,000 enterprise organizations in 11 countries and investigated anonymized events from 30 million enterprise cloud users to gain a holistic view of modern data dispersion.
The key findings include:
- Shadow IT continues to expand enterprise risk: According to the study, 26% of files in the cloud contain sensitive data, an increase of 23% year-over-year. 91% of cloud services do not encrypt data at rest; meaning data isn’t protected if the cloud provider is breached.
- Personal devices are black holes: 79% of companies allow access to enterprise-approved cloud services from personal devices. One in four companies has had their sensitive data downloaded from the cloud to an unmanaged, personal device, where they can’t see or control what happens to the data.
- Intercloud travel opens new paths to risk: Collaboration facilitates the transfer of data within and between cloud services, creating a new challenge for data protection. 49% of files that enter a cloud service are eventually shared. One in 10 files that contain sensitive data and are shared in the cloud uses a publicly accessible link to the file, an increase of 111% year-over-year.
- A new era of data protection is on the horizon: 93% of CISOs understand it’s their responsibility to secure data in the cloud. However, 30% of companies lack the staff with skills to secure their Software-as-a-Service applications, up 33% from last year. Both technology and training are outpaced by the rapid expansion of cloud.
The force of the cloud is unstoppable, and the dispersion of data creates new opportunities for both growth and risk. Security that draws closer to data—creating a spectrum of controls from the device, through the web, and to a new cloud edge—provides the opportunity to break the paradigm of network-centric protection. So, as per McAfee, security leaders can take the following steps to break this paradigm at their own organization:
- Evaluate your data protection strategy for devices and the cloud: Consider the difference between a disparate set of technologies at each control point and the advantages of merging them for a single set of policies, workflows, and results.
- Investigate the breadth and risk of “Shadow IT”: Determine your scope of cloud use, with a focus on high-risk services. Then, move to enabling your approved services and restricting access to those which might put data at risk.
- Plan for the future of unified security for your data: Context about devices improves security of data in the cloud, and context about the risk of cloud services improves access policy through the web. Many more efficiencies apply, while some are yet to be discovered. These control points are merging to deliver the future of data security.