A surprising number of firms suspect employees of using consumer online file-sharing services/products on their work devices to store and share sensitive data.
How dangerous are rogue consumer online file-sharing services when introduced to a company? That all depends on the files: sensitive or not, regulated or not, critical or not. When Enterprise Strategy Group (ESG) set out to interview IT managers on the trend known as shadow IT, the results were unnerving. Many of the companies surveyed, even those in heavily regulated industries, have employees who use personal file-sharing services outside of those approved and managed by their IT departments. Worse yet, they're storing sensitive information -- subject to regulatory and compliance laws -- in those services.
ESG defines the online file-sharing (OFS) market as products that help customers share, access or collaborate on documents or files shared in a public, private or hybrid cloud, or over the Internet. This includes products such as Box, Citrix ShareFile, Dropbox and EMC Syncplicity, and ESG is tracking as many as 60 products in the quickly growing market segment.
We surveyed 250 IT professionals responsible for the operation, management and protection of unstructured data and collaboration platforms -- such as shared file servers, NAS systems or Microsoft SharePoint -- in industries subject to government regulation. The goal was to understand the regulatory environment these companies face, their propensity for using a public, cloud-based offering versus hybrid or on-premises solutions, and how prevalent shadow IT is.
Regulatory oversight and reality
While regulatory requirements vary significantly by industry, more than half the companies ESG surveyed are subject to Health Insurance Portability and Accountability Act (HIPAA) and/or Sarbanes-Oxley regulations. Other regulations, such as the Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS) and the Personal Information Protection and Electronic Documents Act (PIPEDA) also apply, as do a number of industry-specific requirements. Most of the companies surveyed have undergone at least one regulatory audit within the past five years; one-third of respondents have been audited at least five times over the past five years, and one-third of all respondents have failed audits. It's clear that these companies are under pressure to meet strict compliance regulations.
Given the rate of regulatory oversight, it's not surprising that most of these companies have a formal policy against using personal file-sharing services for corporate data; not surprisingly, we see a much higher percent of companies in this market with policies prohibiting personal accounts vs. an earlier broad market survey.
Yet despite the oversight, nearly two-thirds of the organizations surveyed either know (32%) or suspect (28%) that rogue consumer online file-sharing services are being used within the company.
That's not the scariest part. When ESG asked how likely it is that one or more employees are storing sensitive data in rogue accounts, 62% of respondents said it's either likely or very likely. When asked how likely it is that one or more employees are storing regulated data in rogue consumer accounts, 69% said that it was likely or very likely. In fact, only 6% said it's not at all likely. That's just terrifying.
Imagine the regulated information -- such as banking, health or credit card data -- that could be floating around in someone's personal Dropbox or SugarSync account. And because that data is stored in personal and not corporate accounts, it leaves with the employee should they depart the company … with IT none the wiser. In addition, the data would be accessible from any number of devices that the employee (or their family members) may use with their personal file-sharing service.
Why formalizing file sharing makes sense
Obviously, policies that prohibit storing sensitive data in personal OFS accounts don't work. That means it's imperative for IT to find an alternative approach to storing sensitive or regulated data in personal OFS accounts. There's a clear need for online file-sharing tools and strategies in organizations such as these; otherwise, the reported numbers would be lower. So it's important for IT organizations to roll out a corporate alternative to meet employee requirements.
We're beginning to see that trend develop. Almost 50% of the organizations we surveyed report they have rolled out a corporate OFS solution for some use cases (in limited scope, mostly for workgroups for specific projects).
Many corporate OFS vendors are building out capabilities that allow them to participate in regulated workflows. HIPAA, given its broad applicability across organizations, is high on the target list for many vendors, and many others report they can participate in HIPAA-regulated workflows and meet the appropriate requirements. FISMA and PCI DSS are also on their priority lists. After that, coverage gets pretty spotty.
What these OFS offerings can do is limit access to data, and limit what users can do with those files (read, write, modify and/or share). Most of them offer reporting and auditing capabilities that provide IT with insight into which employees are accessing what information, and whom they're sharing it with.
Most early adopters of OFS products are using cloud-based offerings, but there's significant interest among these organizations in deploying solutions that would allow them to store some or all their data on premises. Vendors have responded with the emergence of hybrid or even on-premises solutions. Others are addressing the security concerns surrounding public cloud deployments by allowing subscribers to manage their own encryption keys so that no employee of the service provider can access readable data (nor turn that data over in the event of a subpoena).
The moral of the story is this: IT is no longer in command of data. It's much too easy for an employee to access and use productivity applications they source on some public app store. IT can put policies in place to punish or regulate the behavior (but we've repeatedly seen those policies fail), or it can embrace the behavior and formalize the process to gain control over corporate data. There are OFS offerings available that meet the needs of regulated environments. Still, just adopting a corporate solution and telling employees to use it isn't enough. IT needs to work collaboratively with those departments that have collaborative needs and make them a part of choosing the solution. If you put some onus on the knowledge workers themselves, since they understand their needs best, they're much more likely to adopt a solution that they were a party to choosing.
About the author:
Terri McClure is a senior storage analyst at Enterprise Strategy Group, Milford, Mass.