Organizations must take steps to reduce risks from unmanaged file-sharing services.
Cloud applications and services make it easy for business users to explore new ways to do their jobs with improved speed, flexibility andefficiency. Unfortunately, they also make it easy to circumvent IT authorization, which significantly heightens the risk of data loss and compliance violations.
A variety of surveys show that shadow IT — the practice of adopting and using cloud-based applications or services without IT’s knowledge or permission — has become commonplace. Unmanaged file-sharing services have become particularly problematic, with employees routinely using cloud-based services such as Box, Dropbox, Google Drive, SugarSync and YouSendIt in violation of IT policy.
There doesn’t seem to be any malicious intent — most users say they aren’t even aware they are dodging the rules. They just know that these services provide a hassle-free way to collaborate and share files quickly and easily.
Security and Compliance Concerns
Nevertheless, the use of such services puts IT in a tough spot. If IT doesn’t know an application is being used, it can’t be monitored, secured and controlled. Security policies can’t be applied, and activity can’t be tracked or analyzed. This not only increases the risk of data leakage, it can make regulatory compliance very difficult. IT organizations can’t pass security audits if they don’t know what files have been shared, by whom or with whom.
As a result, industry analysts say data leakage and loss from file sharing is now just as significant a risk as data theft. Larry Ponemon, chairman of the Ponemon Institute, notes that although most companies take steps to protect themselves from hacking and other malicious activities, “these same organizations are entirely unprepared to guard against risky and ungoverned file sharing using consumer-grade applications like Dropbox.”
In a recent Ponemon Institute survey of 1,403 IT professionals from the U.S., U.K. andGermany, 49 percent reported they had at least one confirmed file sharing data breach in the previous two years. In two such breaches, the University of Oklahoma and Stanford University reported that misconfigured privacy settings on file-sharing platforms resulted in the exposure of confidential student records.
One way to avoid these issues is to standardize with an on-premises file-sharing and collaboration solutionand educate employees on the need to use that solution exclusively. Many organizations take advantage of Microsoft’s collaboration portfolio, which includes SharePoint for content and workflow management and OneDrive for Business, which is a file-sync-and-share application that integrates with SharePoint. There’s even a cloud option for this approach through Office 365, which makes it easy to share files and folders by creating a shareable link.
Another approach is to upgrade to business-class versions of the well-known online services. Unlike the free, consumer-grade services, solutions such as Dropbox for Business, Box Enterprise, Citrix ShareFile, SyncPlicityand Egnyte require a subscription. But they offer significant security improvements, including encryption, authentication, monitoring, auditing, policy management, electronic document signing and customizable storage configurations.
The unmanaged use of cloud file-sharing services creates significantrisk, but it isn’t an insurmountable problem. Standardizing on a business-grade solution ensures that users can still access, share and collaboratively edit files in real timewhile boosting IT’s ability to secure and manage the collaborative process. Achieving a balance ofusability and security is the key to reducing the spread of shadow IT, limiting the risk of data exposure and boosting regulatory compliance.