Cloud computing security risks

1. Loss or theft of intellectual property

Companies increasingly store sensitive data in the cloud. An analysis by McAfee found that 21% of files uploaded to cloud-based file sharing services contain sensitive data including intellectual property. When a cloud service is breached, cyber criminals can gain access to this sensitive data. Absent a breach, certain services can even pose a risk if their terms and conditions claim ownership of the data uploaded to them.

2. Compliance violations and regulatory actions

These days, most companies operate under some sort of regulatory control of their information, whether it’s HIPAA for private health information, FERPA for confidential student records, or one of many other government and industry regulations. Under these mandates, companies must know where their data is, who is able to access it, and how it is being protected. BYOC often violates every one of these tenets, putting the organization in a state of non-compliance, which can have serious repercussions.

3. Loss of control over end user actions

When companies are in the dark about workers using cloud services, those employees can be doing just about anything and no one would know—until it’s too late. For instance, a salesperson who is about to resign from the company could download a report of all customer contacts, upload the data to a personal cloud storage service, and then access that information once she is employed by a competitor. The preceding example is actually one of the more common insider threats today.

4. Malware infections that unleash a targeted attack

Cloud services can be used as a vector of data exfiltration. McAfee uncovered a novel data exfiltration technique whereby attackers encoded sensitive data into video files and uploaded them to YouTube. We’ve also detected malware that exfiltrates sensitive data via a private Twitter account 140 characters at a time. In the case of the Dyre malware variant, cyber criminals used file sharing services to deliver the malware to targets using phishing attacks.

5. Contractual breaches with customers or business partners

Contracts among business parties often restrict how data is used and who is authorized to access it. When employees move restricted data into the cloud without authorization, the business contracts may be violated and legal action could ensue. Consider the example of a cloud service that maintains the right to share all data uploaded to the service with third parties in its terms and conditions, thereby breaching a confidentiality agreement the company made with a business partner.

6. Diminished customer trust

Data breaches inevitably result in diminished trust by customers. In one of the larges breaches of payment card data ever, cyber criminals stole over 40 million customer credit and debit card numbers from Target. The breach led customers to stay away from Target stores, and led to a loss of business for the company, which ultimately impacted the company’s revenue. See number 9 below.

7. Data breach requiring disclosure and notification to victims

If sensitive or regulated data is put in the cloud and a breach occurs, the company may be required to disclose the breach and send notifications to potential victims. Certain regulations such as HIPAA and HITECH in the healthcare industry and the EU Data Protection Directive require these disclosures. Following legally-mandated breach disclosures, regulators can levy fines against a company and it’s not uncommon for consumers whose data was compromised to file lawsuits.

8. Increased customer churn

If customers even suspect that their data is not fully protected by enterprise-grade security controls, they may take their business elsewhere to a company they can trust. A growing chorus of critics are instructing consumers to avoid cloud companies who do not protect customer privacy.

9. Revenue losses

News of the Target data breach made headlines and many consumers stayed away from Target stores over the busy holiday season, leading to a 46% drop in the company’s quarterly profit. The company estimated the breach ultimate cost $148 million. As a result, the CIO and CEO resigned and many are now calling for increased oversight by the board of directors over cyber security programs.

According to the Ponemon BYOC study, a majority (64 percent) of respondents say their companies can’t confirm if their employees are using their own cloud in the workplace. Trust us—they are. In order to reduce the risks of unmanaged cloud usage, companies first need visibility into the cloud services in use by their employees. They need to understand what data is being uploaded to which cloud services and by whom. With this information, IT teams can begin to enforce corporate data security, compliance, and governance policies to protect corporate data in the cloud. The cloud is here to stay, and companies must balance the risks of cloud services with the clear benefits they bring.