Nearly half of those polled at Infosec Europe last week reported that they use cloud storage services such as Dropbox, but an even bigger number think such services potentially open up security holes.
The demand for cloud services in the workplace is growing. That’s evidenced by the results of the poll, in which Sophos found that 45 percent of 214 conference attendees are using the services for work.
In the same survey, 64 percent reported that they thought this type of service is scary.
With that level of awareness, it’s obvious that people – at least, those people who attend Infosec conferences – understand the risks of consumer cloud services. But in spite of that understanding, businesses are failing to keep a lid on their employees’ use of the services.
Chris Pace, a product specialist at Sophos, noted that it’s risky for businesses to stick their heads in the sand as far as cloud services go. Storing, sharing and exchanging files in the cloud is just too easy, and it offers too much irresistible additional storage capacity, for employees to pass it up.
Assume that users will take advantage of cloud, and prepare for the technology’s inherent security vulnerabilities, Pace said – otherwise, ungoverned employee use could lead to data compromise. His thoughts:
"The main concern is that, because the infrastructure of consumer-orientated solutions like Dropbox doesn't support enterprise-grade requirements, many businesses are currently just handing control to the user, leaving it to them to make a judgement on the risk they're posing to corporate data."
Securing something like Dropbox shouldn’t be all that hard, Pace said. His suggestions:
"Simple precautions such as web-based policies using URL filtering, application controls that can be applied to cloud products, and data encryption that provides a layer of security across the board, should be introduced as standard if companies wish to reap the benefits of cloud, while mitigating security risks."
(For more advice on securing Dropbox, check out Sophos’s whitepaper, “Fixing Your Dropbox Problem“.)
Other poll findings confirm the premise that businesses have some work to do when it comes to securing consumer technologies – in particular, personal mobile devices.
Nearly a third – 32 percent – of respondents reported that they’re allowed to use their own gadgets for work, but their IT departments are taking a hands-off approach, failing to control usage or institute rules about securing those devices.
Wireless networks are another sketchy security spot. Almost half – 49 percent – of those polled said that their workplace wireless networks are protected with merely a single password or a small number of passwords.
Wi-Fi gets into the same territory as Dropbox with its too-good-to-not-use appeal. It’s flexible, it’s easy, and it allows users to connect anywhere in the office.
What’s not to like?
For one thing, its inherent complexity, Pace said. Also, the fact that it presents yet another network to secure. His suggested approach to getting workplace wireless more secure:
"Instead of businesses setting up a standard wireless router that connects to the internet, with everyone using the same or a limited number of keys, they should be looking for ways to integrate Wi-Fi into their existing network security, giving them both better value and control."
The common thread of all the poll’s findings: the workplace is a little wild and wooly.
It’s up to management, the IT department and all you information security people to domesticate it.
12 comments on “64% of people think cloud storage is risky, but 45% still go right ahead and use it”
I like how I have to give you my full name and email in order to get a whitepaper about *privacy*.
Yeah, the price we sometimes pay for having an advert-free Naked Security. Feel free to enter mine if it helps.
Wait, how does knowing my name help Naked Security be advert free? As far as I thought I knew, ads generate money, so if my name is a substitute for that, that would mean my name generates money, somehow.
It costs Sophos a fair bit of cash to keep Naked Security and its rabble of writers up and running. They could pay for us by littering our site with adverts and constant blatant product plugs, or they could turn a blind eye to our excesses by being happy that we occasionally link to resources that they have available on the main Sophos site – like this technical paper.
If you hand over your real details for the technical paper, you're also given the opportunity to sign up for email newsletters etc and may be asked if you're evaluating security solutions for your business in the future. If you, however, call yourself Arnold Aardvark of Afghanistan you're unlikely to ever be bothered.
Hope that helps
It does help, thanks! I just thought it was funny 🙂
But Sophos would get heaps of publicity from this… It's probably where majority of traffic goes.
Wireless should be using Enterprise-grade encryption and User Controls. Every device
and user must have a unique ID and access/logon procedures using Security Certifi-
cates and https:// encryption. The connections should be a constant VPN/IPSec using
SSL at all times, over WPA2 with PKA2/AES encryption of all traffic.
While this might slow things down a little bit given the speed of today's devices, the
networks will remain more secure. Cloud storage should not be used or allowed in
Enterprise applications and data storage. Need more space? Get more drives on-site
or in the secure server rack under strict Administrator control.
With the takedown of Megaupload, relying on an online storage provider can be seen as risky. You just never know if these companies are going to be around when you need them.
People I know who hosted their websites for free on Windows Live or Apple iWeb are all scrambling now to find replacement hosts for their web sites now that these companies have stopped providng the free service.
I would use online services (and current do) but I have other copies, local and backed up online, of those files.
Cloud services at workplace will become a basic necessity for employees because of its capability to improve business productivity, also share and collaborate on work with colleagues. At the same time businesses also need to careful analyse the security risks tied to these services, especially those handling more sensitive data. One better alternative to businesses and IT admins is to choose SyncBlaze which is offered as an on-premise option and admins can manage and monitor accounts and also user access to content, so the security factor is totally taken under consideration.
Without wanting to plug Sophos too much. The way we try and solve this problem is doing file encryption for corporate data before it gets to the cloud. The user gets a password to decrypt and the business keeps the keys, it's their data after all!
Cloud computing — no, thank you. I'll keep my own stuff and my company's stuff on the company computers/servers or my own computer as appropriate. I do not trust having company information or my own information stored on some hardrive that I don't even really know where it is. Could be in Iran for all I know.
Reject SAAS http://www.fsf.org