Employers should offer an 'amnesty' to staff who secretly use cloud-based services for enterprise data, so that they can make known use of unsuitable and risky Web-based providers without fear of censure, according to an IT security expert.
Such admissions would enable IT departments to then recommend alternative cloud options that better meet employees' specific work needs, according to Nigel Hawthorn, marketing director EMEA at Skyhigh Networks, speaking today at the Infosecurity Europe conference in London.
Hawthorn called for employers to acknowledge that their workforce is likely to be covertly using cloud storage services for potentially sensitive enterprise data without the involvement of their in-house IT department, probably in violation of rules governing usage of third-party internet resources for work purposes.
Employers will struggle to discover the actual extent of “risky” cloud services usage among their employees, Hawthorn argued, so it's better to have an amnesty, a scheme by which they can own up without fear of reprimand, so that the situation can be addressed constructively.
“It’s high time for a cloud amnesty. This would be a way forward to addressing an issue that's now affecting all kinds of organisations,” Hawthorn said. “IT is all too often reactive and negative, when it [could] rather be proactively supportive of employees' use of cloud. [Such an approach] can lead to greater enterprise agility and reduced risk, while improving users’ views of the IT group.”
Employees using cloud data and application service accounts that they have set-up unilaterally without informing either their IT departments or their line managers might not be aware that they are potentially putting sensitive data at risk, Hawthorn added.
“Of course data loss or reputational damage is the last thing any employer wants," he said. "However, should this come about through an employee’s use of cloud services, we shouldn’t be so quick to presume negligence or malicious intent on their part. The first step should always be to understand why an employee was using that cloud service in the first instance.”
There are very few instances where an employee uses a cloud service other than to do their job, Hawthorn insisted: “Users are always going to be a weak link in security, but it is IT's role to try to understand the problems at hand and provide support. If IT simply blocks anything it perceives to be a potential risk, users will find another way to tackle the problem, potentially finding an even higher-risk service that the IT team hasn’t yet discovered. We need to think about ways we can help these employees, not chastise them”.