Are Your Bank's Secrets Floating in the Cloud?

Cloud-based digital document archive services such as Dropbox and Yousendit! have infiltrated U.S. companies in a big way and the result is a huge security hole, according to the results of a survey being released July 24 by the Ponemon Institute, a research firm.

Of the 622 IT and IT security executives polled (19% of whom are in financial services), 60% said employees within their organization frequently or very frequently move large files containing business confidential information to such Internet-based file-sharing apps without asking permission. A little more than half — 51% acknowledge this activity could result in the leakage of confidential information.

A study conducted recently by Palo Alto Networks had similar results. The research looked at the use of such software at 2,036 organizations between November 2011 and May 2012 and found an average of 13 different browser-based file sharing documents on each network.

"The take-up rate of these technologies in the workplace is enormous," says Larry Ponemon, chairman of the research group. "These file sharing and file transfer technologies are very convenient. It's not that people are doing it because they're trying to steal data, but they lead to a big problem if companies aren't aware of it and don't implement security over it."

Such services let employees move data and files to a cloud service and later retrieve them from their mobile phones, tablets or home computer. "That kind of movement of documents to the cloud can create a vulnerability, partially because the company's IT and security people may be completely out of touch with the end user and not even know that those risky documents are floating out there," Ponemon says. "We found that an eye-opener. The world of cloud and the convenience of it creates a security nightmare."

Some companies almost force their employees to use such services because they don't provide remote access to documents staff need when they're traveling or working from home or a remote office.

The good news is that IT practitioners in general are aware of the danger, the study found. A third (33%) of respondents don't believe their organization's confidential and sensitive documents —such as product designs, marketing plans and merger documents — are fully secured. Almost two-thirds (65%) believe there is a risk these documents could end up in the hands of unauthorized parties, even competitors. "Most respondents not only say it is a risk, but they acknowledge that it's probably happening within their organizations," Ponemon says. "It's not hypothetical, it's real."

Companies tend to focus on database security and ignore document security, Ponemon says. "For a lot of people who grew up in the security world, their concept of electronic data is a big database," Ponemon observes. "But a lot of company confidential information exists in documents — PowerPoints, Word documents, email and such. If you're a cybercriminal, that's where you're going to find the company's crown jewels."

The average respondent said they detected somewhere between two and 25 gigabytes of company information going to Dropbox through their firewall.

"This is a huge amount of information," says Ryan Kalember, chief product officer at WatchDox, an information security provider that sponsored the Ponemon research. "CIOs tend to worry about it for compliance reasons more than security reasons." But Kalember points out that Dropbox was breached recently. "Most of these cloud storage providers are not designed for sensitive data," he says. "No regulatory body or authority has spelled out under which circumstances it would be OK to use cloud providers. It leads to a lot of risk for most CIOs that we talk to."

The survey respondents are somewhat confident in their general document security skills: 50% say they're excellent or good at removing sensitive or confidential documents from storage or computing devices when that information is no longer needed. "That means 50% are below the bar," Ponemon says. "There's normally a halo effect on surveys, so people who are good say they're great and people who are great say they're exceptional. When 50% of people admit they're below the bar, that's an indicator of a big problem."

There's a security war going on, Ponemon says. "You are constantly battling the issue of convenience," he says. "The traditional security model is, we'll just turn it off. What we've seen over the last 20 years or more is a move to empowering the end user through things like cloud computing, virtualization, remote devices and the ability to do your work from remote locations. The issue is, can you create solutions that are convenient and allow the users to do the things they need to do? Security has a voice, but there's a bigger voice called productivity and profitability."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER