Shadow IT Also Brings Shadow Costs

Posted by skyhighnetworks on March 19th, 2014

When Susan Emsley, a nurse at Stanford Hospital, uploaded patient records to Dropbox, she felt like she was improving quality of care. With access to records across computers and mobile devices, doctors could immediately find information to make better decisions. “I mean, we all thought that this was a great way to put information at everyone’s finger tips and manage it electronically.”

Everything went well until Dropbox experienced a major security breach. Under the Health Insurance Portability and Accounting Act (HIPAA) the hospital was required to notify the 13,000 patients whose privacy was potentially compromised because their records were stored on Dropbox during the lapse in security, igniting a multi-million dollar lawsuit against the hospital.

The cloud is transforming business for the better, making employees more productive and the business more agile. Whether you take a cloud-first approach to major technology projects, or have a wait-and-see approach, employees in the business are using a plethora of different services and apps to do their jobs at the office and anywhere with an internet-enabled device. The average company now uses 626 different cloud services  and this number is growing every day. But for CIOs, CISOs, and IT organizations, these unmanaged cloud services are causing concern about the privacy, security, and compliance of corporate data.

Most employees don’t go through an extensive vetting process before signing up for a new service on their computer or mobile device. Many cloud services don’t have enterprise-grade security. In a recent report, found that only 11% of cloud services were ready for the enterprise. Among cloud services:

•    15% multi factor authentication
•    4.3% have ISO 27001 certification
•    11% encrypt data at rest

IT organizations aren’t only worried about the company’s data when it leaves the building, the cloud presents a new platform to launch malware. That’s why the cloud is a top concern among enterprise IT and also being brought up more in risk management conversations. IT Security teams need a framework to assess the risk posed by cloud usage, track this risk over time, and take steps to reduce this risk. Having a quantifiable, objective framework also removes emotion from the equation and allows IT to have a data-driven conversation about balancing the benefits of cloud with the risks.

Before you take any steps to reduce the risk of cloud usage at your company, you first need to assess your current risk. You can think of this step as establishing your baseline level of risk, but you’ll use this same process to evaluate risk going forward. Starting this now is important so you can measure the impact of your changes and demonstrate all the risk you’ve reduced after you’re done. There are two main drivers of cloud risk: the risk of the cloud services based on their security controls, and the type of data and usage patterns of those services.

Each cloud security service presents different risks to your company’s data. A cloud service that stores data unencrypted, is hosted in an unfriendly foreign country, and asserts ownership over the IP uploaded to the service is inherently riskier than a service that does the opposite. Then there’s the use of the service that presents risk. When regulated data like social security numbers or credit card numbers makes it way to the risky cloud service, the company is at greater risk than if less sensitive data like lunch menus were uploaded to the same service.

Author :
Skyhigh Networks, the cloud security company, enables companies to embrace Cloud Analytics Services with appropriate levels of security, compliance, and governance while lowering overall risk and cost. With customers in financial services, healthcare, high technology, media, manufacturing, and legal verticals, the company was a finalist for the RSA Conference 2013 Most Innovative Company award and was recently named a "Cool Vendor" by Gartner, Inc. Headquartered in Cupertino, Calif., Skyhigh Networks is led by an experienced team and is venture-backed by Greylock Partners and Sequoia Capital. For more information on Shadow IT to Visibility and Cloud Control, visit us at or follow us on Twitter@skyhighnetworks.

Like it? Share it!


About the Author

Joined: December 18th, 2013
Articles Posted: 85

More by this author