Symantec publishes a report “Shadow Data Report: Risks of Employee Cloud App Use and Abuse” each year.
In it, they identify five significant risk factors that affect how safe, or at risk, your cloud data is.
Shadow Data, according to Technopeida, is a slang term that refers to the sum of all small traces of information that an individual leaves behind through everyday activities. It is a minute piece of data created when an individual sends an email, updates a social media profile, swipes a credit card, uses an ATM and so on. Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval.
Why should you care about this? The healthcare industry has the highest costs of any industry related to breaches of sensitive patient information, or patient identifiable information (PII). And the consequences are the highest for the people involved in healthcare – both for the person whose personal information has been exposed and to the person(s) involved in breaching confidentiality.
So what are these risks?
Risk #1: Unidentified and unmanaged cloud apps used by both on-site and mobile/off-site personnel. These are applications that the IT department does not know of, and therefore no oversight or consideration of any security requirements. They range from business applications such as Office 365 to social media sites such as Facebook. The use of these unmanaged apps is increasing your risk of an employee exposing sensitive personal data, either inadvertently or intentionally. Policies as to what applications can be run on company computers are imperative to deal with this.
Risk #2: Unclassified and Unmanaged Data. This is information that has been uploaded to the cloud without the express knowledge or permission of the employer. To deal with this, you need to implement smart data governance practices.
Risk #3: High-Risk Employees. While some companies have no high-risk employees (policies, employee screening and tight security controls), 14% of companies have over 50% of their employees who are deemed to be at high risk. Most of these are not malicious. They include employees who indiscriminately share info, not only with fellow employees, but also family and friends. Then there are those who have weak passwords (e.g. child’s name), they use the same password for all accounts, they write their password on a sticky note on their desk. And they transfer company files to the cloud so they can access them from home. Of the 465 million documents Symantec surveyed in 2017, over 20% of them were broadly shared and at high risk of being exposed.
Risk #4: Internal and External Bad Actors. This group certainly includes the disgruntled employee, but it also includes employees who think they’re too busy to follow security protocols, or they’ve never been properly trained in them. This also includes hackers. One way to identify an internal employee who is putting your information at risk is to look for specific patterns of computer use. One is where they take a screen capture, attach it to an email, and then delete the screen capture. This is highly suspicious behaviour. Also to watch out for is when employee’s access unsanctioned cloud apps at work, or on a business computer and inadvertently expose the company to malware or ransomware.
Risk #5: Compromised Cloud Services: Online sites are at risk, due to the nature of their use across the Internet. Of the top five types of applications that are accessed, 18% of social network sites, 18% of instant messaging sites, 13% of hosted email sites, 18% of file sharing sites and 34 of online shopping sites were compromised and exposed users to malware or ransomware.
In all of these five risks, the common denominator is that people are the greatest concern regarding putting sensitive information at risk.
- Having policies regarding accessing non-company sites on company owned computers.
- Training employees on company policies.
- Auditing employees cloud usage on company computers.
- Consider blocking non-necessary websites on company computers.
- Identify disgruntled employees and monitor their computer usage.
2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada and the US. Having recently introduced WEBscribe, a client interface portal for document management, 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at https://www.2ascribe.com.