The Hidden Risks of Using Cloud Storage Services for Enterprise File Sharing

There are plenty of reasons why end users within enterprise-class organizations are discouraged from using consumer-grade cloud storage service as a means of sharing files. Some of the major reasons include data residency and sovereignty issues, as well as potential misalignment with regulatory requirements.

As if these reasons were not enough, there are also some hidden risks associated with allowing users to use these services.

Insider Threats

One such risk has to do with insider threats, especially if an employee chooses to leave the company.

Normally, when an employee leaves the company, they will complete an offboarding process. This process typically consists of revoking access to IT assets, verifying that the employee has returned any devices that are owned by the organization, deactivating the key cards that give the employee physical access to the building, among other things.

The problem, however, is that there is no easy way for the IT department to audit the user’s personal cloud accounts in order to verify that the user has not kept copies of sensitive business data.

To put it another way, if an organization is in the habit of looking the other way when employees use consumer-grade cloud storage services to share data with one another, then there is a very real risk that an employee who knows that they are about to be fired or who has chosen to go to work for a competitor could take sensitive data with them, putting data at risk for being leaked.

It isn’t always rogue employees who choose to share data over a consumer-grade cloud storage service. Sometimes, the use of such services is sanctioned by higher-ups within the organization (particularly at the department level), and their use becomes a part of normal business processes.

As an example, a department within an organization might decide that the various IT controls that have been put into place are too restrictive and that they need a more efficient way of sharing files among those within the department or possibly even with clients. As such, that department resorts to shadow IT and chooses to use a consumer-grade cloud storage service.

Even if you were to put aside any type of legal or compliance issues, there are other risks that come into play as a direct result of using such services.

Loss of Access

One such risk is the loss of access to the data, particularly when the only copy of the data is stored within the cloud service. A rogue employee might, for example, change the password, effectively locking everyone out of the data. Similarly, the cloud provider could choose to lock the account in response to suspicious activity or because they detected something that violated their terms of service.

Even if an organization doesn’t completely lose access to the data that its users have stored within a cloud storage service, there may be a potential for the cloud storage service to disrupt business continuity.

Unlike cloud storage services that have been specifically designed for use in the enterprise, consumer-grade services often lack formal service-level agreements (SLAs) or uptime commitments. Hence, if a provider were to experience an outage, business processes could be disrupted as a result. And because the business made a conscious choice to use a consumer-grade service with no SLA, the organization would have little to no recourse for the interruption.

Data Loss

Another major risk associated with using a consumer-grade cloud storage service is that doing so may increase the odds of a data-loss event occurring. While it is true that some cloud storage services synchronize files across end-user devices, these synchronizations are not the same as having a backup. If an employee were to accidentally delete a file or if a file were to become encrypted by ransomware, then the action would propagate to every synchronized copy of the file. Hence, every copy of the file may be deleted or encrypted.

Although there are ways of backing up the data that’s stored within a consumer cloud storage service, such backups probably are not being performed. Especially if a department is using an unauthorized cloud storage service in violation of the organization’s policies, it’s likely that IT is not backing up the data that is stored within the service.

And asking the cloud provider to restore accidentally deleted or encrypted data isn’t usually an option either. Most cloud providers operate under a shared responsibility model in which users are responsible for securing and protecting their own data. Worse still, if the organization has chosen to use one of the free services, support options are likely limited or unavailable.

Unintentional Data Leak

Another risk associated with using a consumer-grade cloud storage service is that of unintentional data leakage. Yes, accounts with weak passwords may be more vulnerable to compromise, but there is more to it than that.

Even if the account remains secure, there is a risk than a well-intentioned employee might accidentally grant access to “anyone with a link,” thereby potentially exposing the organization’s data to the outside world. And because the data exists in a consumer-grade storage platform, outside of the scope of the organization’s Data Loss Prevention (DLP) tools, it would be difficult to even know whether or not the data has been improperly accessed.

Reputational Damage

Finally, relying on consumer-grade services brings with it the risk of reputational damage. Clients expect organizations to use enterprise-class security measures to help protect their data. If word gets out that an organization is storing sensitive data on a consumer-grade platform, it could seriously undermine trust in the organization.

Reduce Risk: Use Enterprise-Ready Progress ShareFile Software

Progress ShareFile software is built to support compliance while facilitating collaboration. Learn more about how the ShareFile solution helps protect data with advanced security controls and compliance-ready settings.