Companies must do a better job of vetting who they connect with via the cloud, as vulnerabilities in their business partners’ security systems could leave them at risk of attack too.
That’s according to Skyhigh Networks’ latest quarterly Cloud Adoption and Risk Report, which features insights based on an analysis of the cloud usage data of 17 million users across the globe.
For the first time, the report tracked how cloud is being used by companies to collaborate on projects with their business partners. Firms in the high tech and manufacturing sectors, in particular, are most likely to interact with third-parties in this way.
Overall, the data revealed the average company fosters connections with 1,555 business partners in the cloud as they look to hammer out go-to-market strategies and product designs, for example.
While this collaborative style of working has its benefits, said the Skyhigh Networks report, for it to work effectively often requires large amounts of data to be shared between both parties.
And, despite taking steps to safeguard that data when it’s within their own corporate firewalls, there’s no way of knowing if the companies they’re sharing it with are treating it with the same due care and attention.
Skyhigh Networks co-founder and vice-president of engineering Sekhar Sarukkai said as a result companies must verify the security protocols of their business partners before they agree to collaborate with them in the cloud, particularly in light of some recent high-profile data breaches
As an example, the report cites the Target data breach that occurred in late 2013 and saw 40 million customers’ credit and debit card details stolen.
In the wake of the attack, it emerged access was gained to the firm via a third-party heating and cooling supplier, tasked with managing the retailer’s fleet of fridges.
“Security of any enterprise is only as strong as its weakest link and recent breaches have shown that partners are often the weakest link,” said Sarukkai.
“Therefore, enterprises must have visibility into the security risks of their business partners so they can take the necessary steps to protect themselves.”
Cloud collaboration concerns
This can be difficult to do, according to Skyhigh Networks European director of strategy Nigel Hawthorn, as these collaborative partnerships are often instigated by employees without the IT department’s knowledge.
“We’ve found over the past couple of years that IT often only knows about 10% of the total number of cloud services in use and it wouldn’t surprise me to discover that IT only knows about 10% of the business partnerships people have got,” he said.
Read more about cloud collaboration
- Biopharma business AstraZeneca has chosen to deploy Box, the enterprise cloud-based file-sharing service, across 100 countries to all its 51,000 staff
- Baker Tilly International, a large international network of accounting firms, has deployed Huddle across its member organisations to assist with international collaboration and customer interaction
To get some insight in this area, Hawthorn said IT departments need to talk to employees about who they’re sharing data with, and keep a close eye on their network traffic to ascertain where their corporate information might be going.
“It’s very easy to know how much traffic is going to and from Facebook and YouTube and other publicly known large websites,” he said.
“What’s difficult is when you spot 10GB of data going to and from an unknown IP address. They need to work out if this is a business partner, someone the organisation trusts and if they appreciate the value of the data of they’re carrying.”
Hawthorn also advised companies to issue policy documents to their business partners that set out rules on how they should secure and manage the former’s data.
This might require disclosing details about their own security setup, which some organisations may be unwilling to do, he admitted.
“Organisations may feel uncomfortable sharing this information because they don’t want anyone to know what their defence is. But in this world of cloud-based collaboration, maybe you do want people to see that because they are your business partners and you want to be sure they sign up for all these services as well,” said Hawthorn
This is also particularly important when enterprises do business with smaller firms, he added, as their security processes may not be as robust as their larger counterparts.
“If you’re a large organisation, you’ve got to take some of the responsibility when you’re working with smaller companies as they are unlikely to be able to afford to have the same level of security as you do.”