Despite efforts at better security education, Fortune 1000 employees continue to choose convenience over security when leveraging productivity tools on the job. Nearly a third of employees in these large enterprises regularly upload and share corporate data to third-party cloud apps without the knowledge of their employer.
The security study, from IBM, also found that about half of millennials share work data to outside cloud apps, which is alarming considering that by 2020, this group will make up 50% of the global workforce.
Those results are in spite of the fact that 60% of employees understand that accessing and uploading data to third-party applications violate their employers’ security and privacy policies—but do it anyway.
While the cloud offers greater productivity, employees engaging in rogue shadow IT activities on unsanctioned apps can result in companies losing control over and visibility into sensitive data, and the inability of companies to protect employees’ identities. These issues are further compounded by circumstances that can exacerbate a loss of control.
For example, an employee could use her personal email to set up an account on a third-party, file-sharing app, to which she would then upload her team’s sales contacts in order to see them on her mobile device. While this unapproved use would give her flexible access to this data, it presents a major challenge if she took a position at a competitor. Although she would no longer have access to the data and networks monitored by her former employer’s IT team, she would still have visibility into the data uploaded into that app—presenting a potential problem from both a competitive and security perspective.
The IBM Security study also revealed that a quarter of all employees are also linking these apps to his or her corporate logins, leaving vast loopholes through which attackers can gain access to company networks.
“If cybercriminals attack and gain access to a third-party cloud application, they can steal corporate credentials and use them to directly access a company’s network,” IBM noted. “These risks are especially prevalent when employees use external mobile apps for work, given that 40% of companies aren’t properly securing the apps that they build for users.”
What’s more, the unsanctioned use of these apps opens up organizations to attackers without the ability to track how they get in since there is no visibility into the use of third-party applications.
IBM is addressing the issue with the Cloud Security Enforcer; the company announced that it is working with Box and other popular cloud app providers to make these apps safe for work by monitoring the risks of these apps being breached, based on intelligence of malicious activity happening around the world thanks to IBM’s X-Force Exchange.