Here’s an interesting meta study, one which looks at heightened risks when two distinct behavior patterns occur. Bitglass, a company that is all about protecting organizational data, wanted to see the impacts of widespread use of public WiFi, alongside the use of unsanctioned file sharing solutions.
First, a disclaimer – Bitglass’ primary customers are large enterprise IT departments that see the world through a haze of bad-actors and attackers. If we could classify the world into those who see the glass as half-full, and those who see it as half-empty, Bitglass’ customer persona would very much be in the latter camp. As such, they have a vested interest to point out all the risks that exist in the world, and to equate behavior to risk.
With that said, what was this study all about? Bitglass’ Threat Research Team tested two real-world scenarios—public WiFi use and sharing of data from within a cloud app. The assumption being that the combination of public (and, one assumes, at-risk) WiFi and cloud file sharing apps (shock, horror, cue the “cloud is risky” FUD) would deliver a double blow of cataclysmic risk.
Not mincing words, and clearing articulating which side of the fence he sits on, Rich Campagna, CEO of Bitglass stated that:
Over the past several years, organizations have enabled employee mobility and collaboration by deploying cloud. A single risky login or unauthorized share can subvert a company’s entire security investment.
Personally, I find that sort of alarmist tone to be unhelpful – cloud file-sharing platforms tend to have many layers of security and data protection, and while public WiFi is clearly riskier than corporate networks, one could argue that the actual chances of suffering a bad outcome on public WiFi are limited. I’m just one data point, and I may be tempting fate, but I use public WiFi almost constantly and, touch wood, have never suffered a loss because of it.
Anyway, with that recognition of a degree of bias aside, it’s worth looking into the report. To uncover the risks posed by users’ data-related habits, the Bitglass Threat Research Team tested real-world scenarios – frequency of connections to unsecured Wi-Fi hotspots, the rate of external sharing in cloud applications, and the volume of corporate credentials already exposed.
With Wi-Fi hotspots set up in random public spaces, Bitglass was able to capture and analyze user traffic. The experiment found that:
- One in five individuals connected to Bitglass’ unsecured Wi-Fi over the 10-hour sample period; a slightly longer time frame than a typical work day.
- 21 people accessed enterprise cloud applications over the unsecured Wi-Fi hotspot, including Office 365, Salesforce, Adobe Marketing Cloud, ADP, Slack, and Asana.
- Two connected devices navigated to known malware hosts, creating additional risk for data compromise.
Separately, the Bitglass team analyzed the cloud applications of its enterprise customers to uncover the volume of shared cloud data. The team found that:
- 51 percent of data stored in Google Drive is shared with individuals outside of the enterprise – significantly more than data in other apps.
- Roughly 19 percent of corporate data stored in Dropbox is publicly available.
- In organizations with Office 365 deployed, 69.5 percent of OneDrive data is shared internally on average.
MyPOV
Being very much a glass half full kind of a guy (at least when it comes to InfoSec risks), I’m not quite as panicky about these findings as Bitglass appears to be. Firstly, on the public WiFi issue: the fact is that millions (billions?) of people worldwide use public WiFi every month. The number of public WiFi spots that are put in place for nefarious purposes and, by extension, the proportion of people who suffer a loss because of this usage, are infinitesimally low.
At the same time, public WiFi gives huge numbers of people the ability to connect to the internet and get stuff done, while away from corporate networks. As such, a risk versus reward measure needs to be made to determine acceptable versus absolute risk.
As for the other side of the report, the part about the risks around cloud file sharing applications, I’m troubled by Bitglass’ assertion that cloud file sharing applications:
have become a major risk and one of the top drivers of enterprise data leakage.
I just don’t buy that. Sure there are risks with cloud file sharing products, but there are far greater risks with data stored on employees laptops or, for that matter, a manila folder of confidential information that some absent-minded employee forgot about at her nearest Starbucks. “Risk” is a relative term and one which has a whole bunch of context around it. Just saying that cloud file sharing is risks is an unhelpful and, in my view, flawed statement.
As always, organizations should risk the real risks for their own data, and remain mindful about bad-actors and potential risk vectors. But that is a measure that is specific to a particular organization, a particular situation and a particular piece of data – blanket assessments, and knee-jerk reactions, don’t help anyone.
