End-users admit ignorance of corporate cloud policies

Already tested by the BYOD movement, security-conscious IT admins are increasingly forced to cope with employees exposing their organization to security risks and unforeseen expenses by signing on to unauthorized cloud services. This includes storing customer records on Dropbox, enlisting Amazon Web Services to test beta code, or creating and sharing sensitive documents via Google Docs.

A new study from Symantec titled “The Myth of Keeping Critical Business Information Out of Clouds” points to the chasm between users and IT admins over access to cloud applications. Among 165 IT managers and staffers, 76 percent reported that their company monitors cloud policies. What’s more, 81 percent of IT admins said their company had clearly outlined consequences for violating those policies. Yet 55 percent of surveyed end-users said they weren’t aware of any such policies, and 49 percent said they didn’t know of any consequences for violating said policies.

The problem with the disconnect is that savvy IT admins are keenly aware of the potential threats of permitting unbridled, unmanaged access to cloud services. IBM, for example, has developed cloud policies in which the company blocks internal access to Dropbox, iCloud, and even Siri. Meanwhile, VMware, Symantec, RightScale, and others are baking features into their products for better managing and locking down cloud access.

Part of the issue is that end-users tend not to understand security risks; others simply ignore them. As a result, they choose easy-to-crack passwords, fall for well-crafted phishing attacks, or visit malicious sites that install password-sniffing malware on their machines. If a cyber criminal is able to dupe an employee into coughing up his password for Dropbox — in which the user has been storing sensitive customer data — then the company has been unwittingly exposed to data theft.

End-users aren’t entirely to blame; while some willfully break security rules, others are merely unaware of security risks due to insufficient training or communication. Not only is it IT’s duty to lock down or secure access to third-party cloud services (just as they should be doing with onsite resources), admins must also ensure that users are aware of the policies and are adhering to them.

Back to the survey: IT workers said their companies have clear policies on an array of types of cloud services. Sixty-three percent said they have rules in place pertaining to online email and communications, yet only 50 percent of employees said they knew of such policies. Seventy-four percent of admins said they had policies pertaining to file-sharing software, whereas 42 percent of end-users said they knew about those policies. Finally, 77 percent of IT admins said they’d adopted policies for cloud-based storage and backup, for productivity apps, and for contact manager apps. From the end-user perspective, only 49 percent knew of the cloud storage rules; 59 percent were aware of the productivity app policies; and 48 percent had an inkling of the contact-manager app rules.

It’s difficult to determine how many employees are really unaware of the rules and consequence, how many are accidentally breaking them, and how many are ignoring them. The survey found that more employees “go rogue” than they’re willing to admit. For example, 69 percent of employees confessed to going against policies and using cloud email and communication services, but IT admins said 88 percent of employees were rogue. Another example: 59 percent of employees owned up to using cloud-based file-sharing software, but by IT’s reckoning, the figure is at 87 percent.

Lest employees dismiss IT as a bunch of fuddy-duddies who don’t want to try anything new, consider this: The survey found that IT does appreciate the benefits of cloud services, but it also understands the potential risks better than the average non-tech-savvy employee.

For example, 60 percent of IT respondents said the risks and benefits of using online storage or backup were equal. The same percentage saw the risks and benefits as equal for productivity apps and contact manager apps. They were more divided on file-sharing services — only 50 percent said the benefits and risks were equal — and online communications, for which 53 percent saw risks and benefits as equal.

By contrast, 49 percent of employees said that the benefits of online email and communications outweighed the risks; 38 percent felt the same about file-sharing. The figures dropped to around 30 percent for online backup, productivity apps, and contact manager apps.

This story, “End-users admit ignorance of corporate cloud policies,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.