Despite a lack of appropriate visibility and control measures in place, cloud-based HR applications are now the most highly used cloud applications across organisations, with 139 such apps being used by organisations on average.
Over the last few years, organisations across the UK have developed and put in use hundreds of thousands of enterprise cloud applications to benefit from their ease of usage and also to store and process enterprise and customer data on a large scale. So widespread has been the use of cloud applications, that according to Netskope's latest February 2018 Cloud Report, there are 1,181 cloud services in use at an average organisation.
Out of these services, HR and marketing apps now dominate as the most highly used cloud applications, with an average of 139 and 121 such apps in use across organisations respectively. Most HR apps, including popular ones like SuccessFactors and Workday contain a lot of personal data as well as data belonging to employees, and their heavy use suggests they have benefited organisations immensely in terms of convenience and data processing timelines.
However, a significant percentage of HR apps are procured by lines of businesses or individuals and therefore do not enjoy the kind of visibility and controls that are enjoyed by sanctioned, IT-led applications. This lack of visibility ensures that vulnerabilities in such applications are neither detected nor patched frequently, thereby placing customer data at risk.
Considering how widely HR apps are being used by organisations, researchers at Netskope said that such apps should be armed with data loss prevention tools and access controls to ensure that they remain compliant to the upcoming GDPR which will place a premium on the security of customer data.
“Too many businesses rely solely on protections provided by cloud app providers, some of which are simply not geared up to defend and mitigate risks such as business continuity and data loss. This is a particular challenge for HR and marketing teams, who act as the gatekeepers for confidential and sensitive personal data, which comes under close scrutiny for GDPR compliance,” said Ross Jackson, vice president of customer transformation and innovation at Mimecast, in an email to SC Magazine UK.
"For example email impersonation attacks are commonly used to trick HR teams into giving away confidential employee data and easily bypass many traditional security defences.
A cyber-resilience strategy is crucial for maintaining individual privacy and security and fundamental part of GDPR compliance. This must go beyond security, and look at business continuity, data loss and updating outdated email archives and backups that hold personal and sensitive data," he added.
According to Netskope, frequent use of HR apps that have low IT visibility isn't the only issue that organisations will have to tackle by the time GDPR comes into force. Out of all cloud applications analysed by the firm, 67.9 percent did not specify that the customer owns the data, 80.7 percent did not support encryption at rest, and 40.5 percent of such applications replicated data in geographically dispersed data centres. The firm said that in order to comply with GDPR, organisations will need to find personal data across their cloud services to inform their security policies around that data.
At the same time, the firm also noted that employees continue to routinely engage in unsafe practices that place customer and enterprise data at risk. These practices include downloading of personally identifiable information from an HR application to a mobile device, sharing of documents in cloud storage with persons outside of a company, and unauthorised users being allowed to modify financial fields in finance cloud services.
Joe Pindar, director of product strategy at Gemalto, told SC Magazine UK in an email that the increase in the adoption of cloud-based applications has brought with it a false sense that any data or application based in the cloud is automatically secure, thereby placing businesses and their customers at risk of a potential data breach.
"GDPR means business can no longer have a ‘head in the sand' mentality and must start asking the right questions about the service providers they are looking at. What are their processes, are they compliant? In order to ensure compliance, a business must not leave it to others and has to ensure it is able to control access to its data and protect against people that shouldn't. Protocols such as single-sign-on to authenticate people, encryption to protect the data and key management to secure the encryption, are all a necessity.
"The cloud, if done right, can offer better security than businesses would have been able to afford working by themselves. This security is worthless though, without the proper tools in place," he added.