Global Analysis of 30 Million Users Reveals Risky Employee Behavior, Difficulty Detecting Threats and Failure to Enforce Governance
Skyhigh Networks, the world’s leading Cloud Access Security Broker (CASB), today released its Q4 2016 Cloud Adoption and Risk Report to provide hard data on the risks companies encounter across 20,000+ cloud services. The report analyzes cloud usage data from more than 30 million enterprise employees worldwide that span every major industry vertical.
The new report provides a clear view into the year-over-year rise in workplace cloud usage, resulting in security and compliance lag as companies fail to proactively address emerging risks. For example, despite the average company using 1,427 cloud services to upload an average of 18.5 TB of data to cloud applications each month, less than 9 percent of cloud providers are taking the strict data security and privacy steps recommended for a modern enterprise. Companies specifically struggle with securing employee behavior, accurately detecting threats and enforcing cloud governance.
“As confidence in cloud grows and organizations trust providers with their most sensitive data, it is more important than ever to emphasize the shared-responsibility model that requires enterprises to secure employee usage and access to data in the cloud,” said Kaushik Narayan, co-founder and CTO, Skyhigh Networks. “Companies struggle to detect cloud security incidents from stolen passwords, internal users and even application administrators, yet these are the threats that pose the greatest risk to corporate data.”
Among the key findings from the report:
- Securing the New Systems of Record - Nearly one-fifth of all documents in file sharing and collaboration apps contain sensitive data indicative of critical business operations. Cloud facilitates sharing with business partners, but 9.3 percent of files shared externally contain sensitive data. Five percent of all files are accessible by anyone with a link and 6.2 percent are shared with personal email addresses, indicating companies have not updated security policies to address the sharing capabilities of cloud.
- Threats Turned Inside Out - The wide acceptance of cloud applications for critical business use has information security teams worried about what data leaves the cloud rather than focusing only on detecting incoming threats. The average company experiences 23.2 cloud-related security incidents each month, more than half of which originate from malicious or negligent insiders. Employees at the average enterprise generate 2.7 billion cloud activity events per month, leading to 2,542 anomalous events. However, just 23.2 turn out to be threats – a 110:1 ratio from anomalies to actual threats. Security teams widely report inaccurate breach notifications, resulting in alert fatigueand missed incidents. 57.5 percent of companies experienced a threat involving a privileged user, an especially dangerous category of incident given the wide access of application administrators.
- Ineffective Cloud Governance - Only 8.1 percent of all cloud services satisfy the data security and privacy requirements to earn Skyhigh’s CloudTrust Enterprise-Ready rating; for example, fewer than one-in-10 encrypt data at rest and a similarly small percentage commit to not sharing customer data with third parties. A majority of companies claim to have cloud governance policies around acceptable use for cloud services. Despite their best efforts to enforce these policies, usage data shows companies frequently fail to effectively block high-risk services. For example, companies intend to block high-risk file sharing service Mega 54 percent of the time, but only successfully block it in 32.8 percent of instances.
- Calm Before the IaaS Storm - While the first wave of enterprise cloud adoption centered around SaaS, including cloud versions of legacy software like Office 365, an equal if not larger migration will occur when custom applications leave corporate data centers for the public cloud. It is no secret that Amazon Web Services is the market leader in IaaS with 35.8 percent of the market, but Microsoft has significantly closed the gap with Azure and currently possesses 29.5 percent market share. Meanwhile, Google Cloud Platform combined with other niche providers collectively make up 34.7 percent of new application deployments – not to mention PaaS services like Force.com.
The report also includes critical data for understanding the enterprise cloud market: the most popular enterprise applications; the most popular consumer applications; the most banned cloud services; and the highly anticipated list of the fastest growing services, indicative of tomorrow’s market leaders and category creators.
Skyhigh Networks, the world’s leading Cloud Access Security Broker (CASB), enables enterprises to safely adopt cloud services, while meeting their security, compliance and governance requirements. With more than 600 enterprise customers globally, Skyhigh provides organizations the visibility and management for all their cloud services, including understanding cloud usage and risk, enforcing data loss prevention policies; detecting and preventing internal and external threats; encrypting data with customer-controlled keys; and implementing access-control policies. Headquartered in Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia Capital, Thomvest Ventures, Tenaya Capital and other strategic investors.