Risky cloud, Shadow IT and “watering hole attacks”
Last September we posted a news item about the checks you should make when choosing a cloud provider, with particular emphasis on making sure that the cloud services being evaluated have the pedigree to be in the market for the long run.
Last week, California based company Skyhigh Networks released its first European Cloud Adoption and Risk Report, which makes interesting (and worrying) reading on other fronts for adopters of cloud services in Europe.
Analysing usage data from more than 1 million users across 40 companies in high profile industries in Europe, a key finding was that “only 9% of the cloud services in use provide enterprise-grade security capabilities, while the remaining 91% (more than 9 out of 10) pose medium to high security risks to organisations.”
And further, “only 1% of the cloud services in use both offer enterprise-grade security capabilities and store data in Europe’s jurisdictional boundaries…”
That means that 99% of cloud services store data in countries where data privacy laws are less stringent or don’t have enterprise-grade security capabilities, or both.
Data privacy and data residency are key issues as 99% of cloud services either store data in countries such as the US, Russia and China, where data privacy laws are less stringent, or don’t have enterprise-grade security features.
The report reveals that 25 of the top 30 cloud services in the collaboration, content sharing and file-sharing categories were based in countries outside Europe and ,despite much recent publicity around data privacy, as much as 72% of cloud services used in Europe store data in the US with possible legal and compliance implications.
In addition to these findings, the report highlights how these problems are exacerbated by “Shadow IT”. Shadow IT is a term used to describe IT systems and solutions built and used inside organisations without approval, particularly from the IT department or management.
Because it is easy for employees to use cloud applications, much is used without approval or without consideration for the security implications or wider business impact. The report found that 49 different services in use are tracking the browsing behaviour of employees on the Internet. This exposes organisations to the increasingly prevalent watering hole attack.
So, what is a “watering hole attack”? These attacks are targeted at specific business or organisations; they are not random in nature. Hackers may track the browsing behaviour of employees of the target organisation attempting to find a trusted website, and then compromise the selected website resulting in a malware infection. This malware might be in the form of a remote access Trojan, which allows attackers to access sensitive data and even take control of vulnerable systems.
Lessons to be learned?
Be smart about the cloud and its risks. Check out your cloud services provider carefully – where will they store your data, what are their security capabilities?
If you haven’t already done so, establish internal and external data privacy, security, and governance policies. Ensure compliance to avoid the potential reputational and financial consequences of poor data security.
If you wish to discuss the pro’s and con’s of cloud services or hosting solutions, please give us a call – we believe in recommending the right solution tailored to every business’ specific needs and providing professional and impartial advice.