There is an old joke about the politician who is so convinced she is right when she goes against public opinion, that she states, “It’s not that we have the wrong policies, it’s that we have the wrong type of voters!” The foolishness of such an attitude is obvious and yet, when it comes to mandating business cloud usage, some companies are still trying to live by a similar motto despite large amounts of research to the contrary.
Cloud usage has grown rapidly in the UK, with adoption rates shooting up over 60% in the last four years, according to the latest figures from Vanson Bourne. This reflects the increasing digitalisation of business and society and the role cloud has in delivering that. Yet, there is an ongoing problem with a lack of clarity and understanding around cloud policies and decision making within enterprises at all levels. This is only natural, as there is bound to be confusion when the IT department and the rest of the company have differing conceptions about what the cloud policy is and what it should be. Unfortunately, this confusion can create serious security issues, leaving IT departments stuck between a rock and a hard place.
Who is right? The answer is, unsurprisingly, both! Increasingly non-IT decision makers and end-users are best placed to determine the value of new services to the business; but IT departments have long experience and expertise in the challenges of technology adoption and the implications for corporate data security and risk.
Cloud policy? What cloud policy?
Recent research from Trustmarque found that more than half (56 per cent) of office workers said their organisation didn’t have a cloud usage policy, while a further 28 per cent didn’t even know if one was in operation. Despite not knowing their employer’s cloud policy, nearly 1 in 2 office workers (46 per cent) said they still used cloud applications at work. Furthermore, 1 in 5 cloud users admitted to uploading sensitive company information to file sharing and personal cloud storage applications.
When employees aren’t sure how to behave in the cloud and companies don’t know what information employees are disseminating online, the question of a security breach becomes one of when, not if. Moreover, with 40 per cent of cloud users admitting to knowingly using cloud applications that haven’t been sanctioned or provided by IT, it is equally clear that employee behaviour isn’t about to change. Therefore, company policies must change instead – which often is easier said than done. On the one hand, cloud applications are helping increase productivity for many enterprises, and on the other, the behaviour of some staff is unquestionably risky. The challenge is maintaining an IT environment that supports employees’ changing working practices, but at the same time is highly secure.
By ignoring cloud policies, employees are also contributing to cloud sprawl. More than one quarter of cloud users (27 per cent), said they had downloaded cloud applications they no longer use. The sheer number and variety of cloud applications being used by employees’ means costs can quickly spiral out of control. This provides another catch-22 situation for CIOs seeking balance, as they look to keep costs down, ensure information security and empower employees to use the applications needed to work productively.
The road to bad security is paved with good intentions
The critical finding from the research is that employees know what they are doing is not sanctioned by their organisation and still engage in that behaviour. However, it’s important to recognise that this is generally not due to malicious intent, but rather because they see the potential benefits for themselves or their organisation and security restrictions mean their productivity is hampered – so employees look for a way around those barriers.
It is not in the interest of any business to constrain the impulse of employees to try and be more efficient. Instead, businesses should be looking for the best way to channel that instinct while improving security. There is a real opportunity for those businesses that can marry the desires of employees to use cloud productively, but with the appropriate security precautions in place, to get the very best out of cloud for the enterprise.
Stop restricting and start empowering
The ideal solution for companies is to move towards an integrated cloud adoption/security lifecycle that links measurement, risk/benefit assessment and policy creation, policy enforcement, education and app promotion, so that there is a positive feedback loop reinforcing both cloud adoption and good security practices. This means an organisation will gain visibility into employees’ activity in the cloud so that they can allow their favourite applications to be used, while blocking specific risky activity. This is far more effective than a blanket ban as it doesn’t compromise the productive instincts of employees, but instead encourages good behaviour and promotes risk-aware adoption. In order for this change to be effected, IT departments need to alter their mind set and become the brokers of services such as cloud, rather than the builder of constricting systems. If organisations can empower their users by for example, providing cloud-enabled self-service, single sign-on and improved identity lifecycle management, they can simultaneously simplify adoption and reduce risk.
Ignorance of cloud policies among staff significantly raises the possibility of data loss, account hijacking and other cloud-related security threats. Yet since the motivation is, by and large, the desire to be productive rather than malicious, companies need to find a way to blend productivity and security instead of having them square off against each other. It is only through gaining visibility into cloud usage behaviour that companies can get the best of both worlds.
Written by James Butler, chief technology officer, Trustmarque