Already tested by the BYOD movement, security-conscious IT admins are increasingly forced to cope with employees exposing their organization to security risks and unforeseen expenses by signing on to unauthorized cloud services. This includes storing customer records on Dropbox, enlisting Amazon Web Services to test beta code, or creating and sharing sensitive documents via Google Docs.
A new study from Symantec titled "The Myth of Keeping Critical Business Information Out of Clouds" points to the chasm between users and IT admins over access to cloud applications. Among 165 IT managers and staffers, 76 percent reported that their company monitors cloud policies. What's more, 81 percent of IT admins said their company had clearly outlined consequences for violating those policies. Yet 55 percent of surveyed end-users said they weren't aware of any such policies, and 49 percent said they didn't know of any consequences for violating said policies.
The problem with the disconnect is that savvy IT admins are keenly aware of the potential threats of permitting unbridled, unmanaged access to cloud services. IBM, for example, has developed cloud policies in which the company blocks internal access to Dropbox, iCloud, and even Siri. Meanwhile, VMware, Symantec, RightScale, and others are baking features into their products for better managing and locking down cloud access.
Part of the issue is that end-users tend not to understand security risks; others simply ignore them. As a result, they choose easy-to-crack passwords, fall for well-crafted phishing attacks, or visit malicious sites that install password-sniffing malware on their machines. If a cyber criminal is able to dupe an employee into coughing up his password for Dropbox -- in which the user has been storing sensitive customer data -- then the company has been unwittingly exposed to data theft.
End-users aren't entirely to blame; while some willfully break security rules, others are merely unaware of security risks due to insufficient training or communication. Not only is it IT's duty to lock down or secure access to third-party cloud services (just as they should be doing with onsite resources), admins must also ensure that users are aware of the policies and are adhering to them.
Back to the survey: IT workers said their companies have clear policies on an array of types of cloud services. Sixty-three percent said they have rules in place pertaining to online email and communications, yet only 50 percent of employees said they knew of such policies. Seventy-four percent of admins said they had policies pertaining to file-sharing software, whereas 42 percent of end-users said they knew about those policies. Finally, 77 percent of IT admins said they'd adopted policies for cloud-based storage and backup, for productivity apps, and for contact manager apps. From the end-user perspective, only 49 percent knew of the cloud storage rules; 59 percent were aware of the productivity app policies; and 48 percent had an inkling of the contact-manager app rules.