Nearly half of those polled at Infosec Europe last week reported that they use cloud storage services such as Dropbox, but an even bigger number think such services potentially open up security holes.
The demand for cloud services in the workplace is growing. That’s evidenced by the results of the poll, in which Sophos found that 45 percent of 214 conference attendees are using the services for work.
In the same survey, 64 percent reported that they thought this type of service is scary.
With that level of awareness, it’s obvious that people – at least, those people who attend Infosec conferences – understand the risks of consumer cloud services. But in spite of that understanding, businesses are failing to keep a lid on their employees’ use of the services.
Chris Pace, a product specialist at Sophos, noted that it’s risky for businesses to stick their heads in the sand as far as cloud services go. Storing, sharing and exchanging files in the cloud is just too easy, and it offers too much irresistible additional storage capacity, for employees to pass it up.
Assume that users will take advantage of cloud, and prepare for the technology’s inherent security vulnerabilities, Pace said – otherwise, ungoverned employee use could lead to data compromise. His thoughts:
"The main concern is that, because the infrastructure of consumer-orientated solutions like Dropbox doesn't support enterprise-grade requirements, many businesses are currently just handing control to the user, leaving it to them to make a judgement on the risk they're posing to corporate data."
Securing something like Dropbox shouldn’t be all that hard, Pace said. His suggestions:
"Simple precautions such as web-based policies using URL filtering, application controls that can be applied to cloud products, and data encryption that provides a layer of security across the board, should be introduced as standard if companies wish to reap the benefits of cloud, while mitigating security risks."
(For more advice on securing Dropbox, check out Sophos’s whitepaper, “Fixing Your Dropbox Problem“.)
Other poll findings confirm the premise that businesses have some work to do when it comes to securing consumer technologies – in particular, personal mobile devices.
Nearly a third – 32 percent – of respondents reported that they’re allowed to use their own gadgets for work, but their IT departments are taking a hands-off approach, failing to control usage or institute rules about securing those devices.
Wireless networks are another sketchy security spot. Almost half – 49 percent – of those polled said that their workplace wireless networks are protected with merely a single password or a small number of passwords.
Wi-Fi gets into the same territory as Dropbox with its too-good-to-not-use appeal. It’s flexible, it’s easy, and it allows users to connect anywhere in the office.
What’s not to like?
For one thing, its inherent complexity, Pace said. Also, the fact that it presents yet another network to secure. His suggested approach to getting workplace wireless more secure:
"Instead of businesses setting up a standard wireless router that connects to the internet, with everyone using the same or a limited number of keys, they should be looking for ways to integrate Wi-Fi into their existing network security, giving them both better value and control."
The common thread of all the poll’s findings: the workplace is a little wild and wooly.
It’s up to management, the IT department and all you information security people to domesticate it.