You could be forgiven for thinking that the boy band One Direction and your IT department have nothing in common. One lives a life of glamour, girls, drink, and rock'n'roll excess. And then there's One Direction…
But last month it was revealed that these two modern institutions could have more in common than you might think. Local newspaper, the Metro's website reported that, following the well-publicised celebrity photo hacks which spat out the private photos of A-listers like Jennifer Lawrence, no lesser trendsetters than One Direction decided to stop using Apple's hugely popular cloud service.
In an extract from what one can only suppose was an arduous, Paxman-esque grilling, band member Louis Tomlinson sagely theorised that “The positives far outweigh the negatives. You've got your toes in now… I'm just not going to be using iCloud again.” Well, quite.
But do the fresh-faced pop scamps have a point? After such a high profile spate of breaches alleged to have originated from targeted attacks at individual celebrities' iCloud accounts, is this more sensible precaution than knee-jerk reaction?
For IT security professionals, this story probably has one major thing in common with all One Direction-related news in that you're doubtless asking yourself, why you should care? Well here's why. Like it or not, your employees are bringing iCloud and hundreds of other potentially non-enterprise ready cloud apps into the enterprise, and most organisations probably don't even know they're doing it, let alone what sensitive data employees might be uploading. You can't protect what you can't see. So are cloud apps worth the risk?
The question of whether enterprises should stop using cloud apps entirely due to security concerns is a thorny one, namely because of that famous old maxim around the trade-off between security and productivity. The fact is that cloud apps help us all to do our jobs. Staff like them because they're free, simple and easy to use, and they can dive in without the IT department's permission. As One Direction will almost certainly never sing, “that's what makes cloud beautiful,” right?
But for those same reasons, cloud apps are a headache for IT departments which often have no visibility of what apps employees are using, or what data are being uploaded into the cloud. The latest Netskope Cloud Report showed that enterprises vastly underestimate how many cloud apps are in use within their organisations, with an average of 579 cloud apps now in use within each enterprise (up from an average of 508 the previous quarter).
Worse still, a massive 88.7 percent of these apps are adjudged not to be enterprise-ready, meaning that organisations are still underestimating not only the scale of shadow IT, but also its associated risks.
Stopping using cloud apps entirely might well be an option for One Direction, but it's not advisable in an enterprise setting. Rather than blocking cloud apps, which annoys employees, increases cost and kills productivity, there are three steps IT departments should take to ensure safe cloud app use.
First, organisations need to understand what apps they have running in the enterprise, their security stance and the risk they pose. Then, IT teams should get a handle on how people are using those apps, and what corporate data are in them. And finally, they should enforce granular, activity- and data-level policies across all cloud apps – regardless of whether they're sanctioned by IT – to protect sensitive corporate data and put a stop to risky behaviour.
One Direction has clearly decided that it has more to lose than to gain from iCloud, and businesses also face huge risks from data breaches arising from shadow IT. But unlike the 1D boys, businesses have the power to safely enable cloud use. Gaining an understanding of which cloud apps are in use and how your employees are using them is the starting point to applying intelligent policy to protect your data.
For the IT department, taking action now will help ensure that data breaches from cloud apps don't become the “story of [your] life.”
Contributed by Eduard Meelhuysen, VP EMEA, Netskope