Mistakes that lead to loss of corporate data in the cloud

High profile data breaches are becoming more and more ubiquitous in the headlines. There’s an ongoing conveyor belt of globally recognisable brands – such as Tesco Bank, Three Mobile, TalkTalk and Yahoo – announcing that their huge stores of customer data have been compromised in some capacity, and it’s consumers who remain at risk from targeted attacks.

The rapid adoption of cloud has undoubtedly played a role in the increasing number of breaches. It’s a relatively new technology meaning there remains some uncertainty around how to use it securely.

As such, while hackers stealing and publicising sensitive customer information makes the news, most corporate data loss in the cloud can actually be traced to malicious or careless users.

The cloud is used by all businesses, for everything from basic emailing to hosting complete infrastructures. As such, they are beginning to look at their own actions and processes in order to minimise the likelihood of a breach taking place. There are many opportunities for an employee to place corporate data at risk either accidentally or deliberately, but some are more common and should be managed appropriately.

1. Employees download data from a secure cloud service and then upload the data to a high-risk alternative

Cloud services are used to enhance collaboration and productivity, but not all were created equal in regards to their security.

While enterprise-grade cloud service providers (CSPs), such as Box, Microsoft and Salesforce, have made significant investments in the security of their platforms, lesser known applications can’t, or don’t.

>See also: Data Protection Day: it’s important

Furthermore, larger CSPs also offer more favourable legal terms of use; namely, they do not claim ownership of data that customers upload to the service, they delete data on account termination, and they do not share customer data with third parties.

Employees who use high-risk services for convenience often don’t realise the risk they pose to corporate data, or that it will soon leave their firms vulnerable to GDPR non-compliance fines.

2. An employee downloads corporate data from an enterprise cloud service to an unmanaged personal device that lacks endpoint security controls

Most employees utilise their personal devices so they can work on the move, but this often means they are accessing the company’s sensitive and confidential information.

Corporate bring your own device (BYOD) programmes have tried to address the issue by enabling employees to log in to secure cloud services remotely.

However, when sensitive data is downloaded to unmanaged devices without the appropriate endpoint security – for example, remote wipe or strong device PIN – in place, that data is now at risk.

If the user looks away for a moment at a coffee shop, the device could be stolen and corporate data along with it.

3. Privileged users of a cloud service change security configurations in ways that inadvertently weaken security or access corporate data outside their role

While less common than threats from regular users, privileged user threats can be especially damaging due to the high level of permissions these individuals have within cloud services.

>See also: Data will be AI’s key enabler

These threats can include administrators changing security settings that inadvertently weaken security, but they can also include malicious activity.

Edward Snowden is perhaps the most infamous example of a privileged user accessing data outside the scope of his role in IT. More common examples include the IT administrator snooping on data in order to make stock trades on insider information.

4. An employee shares data with a third party, such as a vendor or partner, via a personal email account or shared link that can be forwarded to others and not tracked

Cloud-based collaboration services have replaced email as the top method for sharing items with co-workers and business partners, especially large files that can’t be emailed.

While the majority of collaboration occurs by inviting specific individuals, sending documents to or from personal email accounts makes it difficult to confirm whether both the sender and recipient are legitimate authorised users.

Similarly, files shared from cloud platforms that use links that can be forwarded to anyone else without restriction pose a huge threat. Businesses must ensure they are using cloud services that allow them to control access on a granular level.

5. Employees authorise third party applications that require access to corporate data stores

Cloud platforms such as Salesforce and Google G Suite incorporate many enterprise-grade security features. They also have thriving marketplaces of third party apps that can be connected to them to enhance the value of their services.

Yet, not all of these apps are secure. A common mistake made by users is adding permissions for an app to connect to sensitive corporate data in a secure cloud environment, making the third party app the weakest link in their cloud cyber security.

>See also: Data hoarding creates a digital wasteland

Sometimes applications using existing cloud accounts require onerous levels of access to data. For example, when it initially launched, Pokémon Go users who signed in with their Google accounts provided full account access to the app.

As the frequency of high profile data breaches continues to increase, particularly ones involving the cloud, companies are beginning to understand the risks that employees can pose to corporate data.

Whether accidentally or maliciously, an employee can cause more damage to a business’ reputation far more quickly than a sophisticated cyber attack.

As such, organisations are starting to incorporate education into their overall cyber security strategies. If employees know how to and why they should remain vigilant when using corporate data in the cloud, they are far less likely to make a potentially damaging mistake.


Sourced by Nigel Hawthorn, chief European spokesperson at Skyhigh Networks

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Security