by Nate Lord, Digital Guardian, July 23, 2015

With more enterprises moving to the cloud and more employees using file sharing and cloud storage services in the course of conducting business, effective communication regarding the inherent security risks associated with cloud computing is imperative. Cloud applications enable employees to create, store, and control more data than ever before, but with these new capabilities comes increased risk to sensitive enterprise data. As a result, cloud adoption must be met with a heightened focus on extending data security measures to the cloud.

Effective cloud data protection begins with educating employees on the risks of sharing and storing information in the cloud. But how can companies best communicate these risks along with the appropriate security measures to mitigate them to employees in the modern cloud landscape? To find out how today’s security leaders are handling employee education surrounding data protection in the cloud, we asked business and security leaders to answer this question:

“How can companies effectively communicate the data security risks of cloud storage and file sharing to employees?”

Paul Hill

Paul Hill is a Senior Consultant at SystemExperts, an IT compliance and security consultancy, and works to provide clients with both strategic and practical guidance to build effective security organizations.

The best way to communicate the security risks of file sharing and cloud storage is…

All companies should have a security awareness training program in place to provide ongoing and recurring training of security-related issues to all employees. Some companies perform this by sending monthly emails, others require physical attendance at presentations, while the rest provide online video with post presentation evaluations.

All companies should also have an acceptable use policy (AUP) that covers a wide range of topics. Traditionally, AUPs have covered acceptable use of email and personal use of company computer systems. In recent years, most companies have updated AUPs to address such topics as social media, use of personally owned smart phones, tablets, the use of cloud storage, and file sharing services.

While all companies should also have a data classification and data handling policy, the reality is that fewer companies have such a policy in place. A data handling policy should tell users where they are allowed to store different types of company data, what protections are required, and what authorizations are necessary to use unlisted alternatives.

Good security awareness programs usually leverage recent incidents from around the world that have attracted media coverage. In 2014, a number of private images of celebrities were posted to the 4chan site. In at least one case, a celebrity had deleted the image from the phone before the image was stolen, but the image did not get automatically deleted from the cloud. It was determined that the photos had been stolen from the Apple iCloud system. Apple later confirmed that the images had come from iCloud, but that user accounts had been compromised rather than due to any specific security vulnerability in the iCloud service itself.

Using this type of example in a timely manner, as part of security awareness, training can be very effective. It may get employees asking questions and checking their configurations. When using these types of examples, they should serve as a starting point. The training should lead employees through thinking about the potential impact if corporate data was stored on the same or similar system.

Another example that could be used during security awareness training is Dropbox, a very popular file sharing service. More than 2 years ago, Dropbox had a brief period of time during which anyone could access any file stored by Dropbox just by knowing the correct URL. That was a temporary situation, but it could have had devastating impact on companies if employees had stored sensitive data on Dropbox and it had been disclosed. It demonstrates the loss of user control when using these services. Users of these services are entirely dependent on the capabilities, competencies, and corporate goals of the third-party provider.

One of the biggest problems is that without training, employees often may not know where their data is being stored. Many mobile phone apps provide tight integration with a variety of cloud-based storage systems. In many cases, the app vendor, or phone vendor, may not provide adequate information to the users to make them aware of where the data is stored, who may access the data, how long it may be retained, or the security controls in place to protect the information.

Making employees aware of the risks and getting them to ask relevant questions is a critical component of good security.

To see what all the experts have to say go to Digital Guardian.