Consumer-oriented collaboration and file-sharing tools that have gained popularity as the workforce becomes increasingly mobile are customarily cheap, even free, for employees to use. But they could be costing businesses plenty, a recent study suggests.
Cloud-computing and mobile devices (smartphones, tablets, and so on) enable employees to take advantage of consumer-grade, file-sharing programs such as Google Docs, DropBox, and YouSendIt to save, edit, and share work-related data and documents without ever having to speak to one another.
To be sure, the tools boost efficiency. But they can open the enterprise’s doors to hackers and significantly increase the risk of data leaks, says Larry Ponemon, founder of Ponemon Institute, an independent research center that examines privacy, data protection, and information-security policies.
“When you work in an organization, you want to have control over where the data can travel to,” he says. Unfortunately, says Ponemon, even if a company has policies that require employees to get permission before using these tools, the risk remains, and control remains illusory. Once the browser box is opened, it’s as difficult as Pandora’s to close.
When an employee saves data — trade secrets, financial reports, notes taken during a meeting — to his personal file-sharing or storage account, it’s probably with the best intentions. She or he may be planning to work from home or the road, taking advantage of the Internet’s core ability to connect everything to everyone everywhere. Unfortunately, the information stored sits there, unprotected, and the company usually doesn’t know what it is or where it is or who has it. That’s a situation that should give any CFO or risk manager chills.
According to the institute’s December 2012 “State of the Endpoint” security survey of 684 IT and IT-security professionals, about 29% of employees use consumer-grade file-sharing tools, and 21% of those users routinely expose confidential business information.
To put that in perspective, the institute estimates the cost of exposed business confidential data at $194 per compromised record. Further, almost half of these security pros say their organizations “do not enforce employees’ use of private clouds,” which, they say, opens up their businesses to increasing malware attacks while forcing IT costs to rise.
Consequently, says Ponemon, monitoring and controlling the use of these collaboration tools, and securing the data they may contain, should be a top priority for enterprise risk managers.
“If you could solve the negligence issue, you solve a very large chunk of the problem,” he says. “It’s people who are just taking shortcuts that are exposing the company to huge risk because, if I’m a bad guy, I’m going to attempt to hack a DropBox account, or YouSendIt, because there’s going to be a lot of data that might be very, very valuable stored there.”
How does one control the use of such cheap, efficient, user-friendly tools?
“The first step is creating awareness about the risk,” Ponemon advises. “Most people who make mistakes were not told in advance by anyone that it’s not an acceptable practice. When people are made aware, they’re normally going to comply. But we’re not seeing organizations bringing awareness to the rank and file.”
The second step is to offer a suitable, safer, enterprise-grade substitute for consumer tools. Using services such as Druva, Accellion, or Huddle Sync, businesses could save an estimated $3,119 a year by preventing potential data leaks, according to the report. (Microsoft’s Sharepoint collaboration platform was launched in 2001, now comes with the cloud-enabled Office 365 Enterprise Suite, and is broadly deployed at low or no cost for Microsoft partners, but it is famously user-unfriendly.) That number takes into account end-user productivity improvements as a result of easier file sharing, along with a reduction in data breaches and associated remediation costs. The report found that overall cost savings and productivity improvements could exceed $8,184 per user annually.
While Ponemon Institute does not review or endorse companies or products, Ponemon says an enterprise-grade file-sharing solution “pays for itself very quickly” because it allows businesses to both control the sharing of data and know what’s being shared. CFOs who don’t want to invest in an enterprise collaboration tool due to the capital expense are “missing the point,” he says, in an environment in which the frequency of malware attacks is increasing.
“The average cost of a data leak,” Ponemon says, “is probably more expensive than the most expensive enterprise file-sharing tool out there.”
In addition to security, the study found that companies using corporate file-sharing tools are collaborating at better and higher levels, increasing productivity by about 1.2 hours each day, or 266 hours per year.
“That value,” Ponemon says, “is enormous to a company.”