SMBs Struggle to Rein in Data Leakage to Cloud, Study Finds

Workers have used unapproved cloud services without informing their IT departments in more than 80 percent of small and midsize businesses, according to a Spiceworks survey.

cloud security

Small and medium-size businesses have major problems in managing their use of cloud applications, according to a survey published on Oct. 12 by Spiceworks, a community for information technology workers.

The survey of 338 IT managers found that more than 80 percent of the technology professionals had end users who had "gone behind their backs to set up unapproved cloud services." Almost all of those surveyed thought the security of specific cloud services should be taken into account before allowing employees to use them.

"I think a lot of times, everyone is used to using consumer-level products, which are not inherently bad, but they can be dangerous," Peter Tsai, IT analyst for Spiceworks, told eWEEK. "IT does not have direct control over who sees what and when, so you are putting sensitive information out there in the wild."

The problem of unauthorized cloud services shows that the issue of "shadow IT"—unvetted and unapproved technology—continues to undermine the security of businesses. Shadow IT used to describe an unapproved wireless router or server set up by employees to help them work, but with the advent of the cloud, the problem has moved online.

The IT professionals worried most about cloud storage services and web-based email services, with 35 percent warning that the former, and 27 percent that the latter, were vulnerable to attack. Messaging services and financial applications are the greatest concerns for 9 percent and 8 percent of IT professionals, respectively, according to the survey.

Much of the problem for SMBs is that IT departments at the companies tend to be, unsurprisingly, smaller. IT staff at such firms typically struggle to keep systems up and running, and security often takes a back seat, Tsai said.

"An IT department of one is not that uncommon," he said. "They have to keep the lights on, keep systems running and configure cloud services."

The shortage of staff shows. While 61 percent of IT professionals said that their company adequately invests in data security, less than half conduct regular security audits of their systems and only 28 percent are trying to improve data security.

IT professionals can take some basic, low-cost steps to reduce the use of shadow cloud services, Tsai said. Training can teach workers the dangers of using unapproved services, and establishing a policy can act as a guidepost for employees, he said.

"Just having a policy and reviewing your policy to make sure that [the use of cloud services] is covered is a good step," he said. "Then, people know they have a course of action and that they actually have rules to follow."

Finally, companies should review the cloud services that workers want to use, which can remove the primary reason that employees circumvent security policy, he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...