CLOUD ADOPTION RISK REPORT

Table of Contents
INTRODUCTION ........................................................................................................2
SENSITIVE DATA IN THE CLOUD ...........................................................................3
Types of Sensitive Data .....................................................................................4
Whats in a Name? ..............................................................................................5
Worst Employee of the Month .........................................................................7
SHARING AND COLLABORATION ..........................................................................7
File Sharing Reaches an All-Time High ...........................................................8
When Sharing is Erring ......................................................................................9
The Shadow Code Repository ....................................................................... 10
INTERNAL AND EXTERNAL THREATS............................................................... 11
Your Own Worst Enemy .................................................................................. 12
Compromised Accounts .................................................................................. 12
Data Exfiltration............................................................................................... 12
USAGE TRENDS ..................................................................................................... 13
Average Number of Services ......................................................................... 13
Security Controls Vary by Provider ............................................................... 15
Usage by Platform ........................................................................................... 16
THE TOP CLOUD SERVICES ................................................................................ 18
Top 20 Enterprise Cloud Services ................................................................. 19
Top 20 Consumer Cloud Services.................................................................. 20
Top 10 File Sharing Services .......................................................................... 21
Top 10 Collaboration Services ....................................................................... 22
Top 10 Social Media Services ........................................................................ 23
OUR METHODOLOGY ........................................................................................... 24

CLOUD ADOPTION RISK REPORT | Q4 2015

Introduction
Four years ago, entrepreneur and investor Marc Andreessen wrote about
how software impacts nearly all areas of modern life.1 The primary
platform for software applications today is not a hard drive; its a web
browser. Software delivered over the Internet, referred to as the cloud,
is not just changing how people listen to music, rent movies, and share
photos. Its also transforming how businesses operate. Studies have
shown that businesses taking advantage of productivity-enhancing
cloud services grow 19.6% faster than their counterparts that dont.2
Because employees often bring their own apps to work, companies
Companies that embrace the
cloud grow 19.6% faster

typically dont know which ones are being used to store corporate
data. Even within the cloud services purchased by a companys IT
department, there is limited visibility into user behavior and how
sensitive information is accessed and shared. Similar to previous shifts
in technology, such as the rise of the PC and the Internet, the cloud
creates new and significant concerns among business leaders about the
potential for headline-making security incidents.
To better understand these trends, Skyhigh Networks publishes a Cloud
Adoption & Risk Report, the first and most comprehensive report of
its kind. What makes our report unique is that we base our findings on
actual usage data for over 23 million users worldwide, more than any
other similar study.
In this report, we detail the types of sensitive data stored in cloud
services, how that data is shared within organizations and with third
parties, and how risky employee behavior can expose data. We also
examine the external threats that use the cloud to exfiltrate sensitive
data pilfered from on-premises systems as well as attacks directed at
sensitive data stored in cloud services. Finally, we cover general usage
trends including the top most widely used cloud services.

1 Wall Street Journal Why Software is Eating the World

2 Vanson Bourne The Business Impact of the Cloud

CLOUD ADOPTION RISK REPORT | Q4 2015

Sensitive Data in the Cloud

Across industries, organizations must protect a wide range of sensitive
information from cyber attacks and accidental disclosure, and that data
is increasingly stored in the cloud. All told, 15.8% of all documents
uploaded to cloud-based file sharing services contain sensitive
information, where they are just a few clicks away from being shared
externally. The majority of these files, 58.4%, are Microsoft Office
documents, followed by Adobe PDF files. The remaining 22.8% is
compromised of over 500 different file formats ranging from CAD
diagrams to Java source code.

CLOUD ADOPTION RISK REPORT | Q4 2015

TYPES OF SENSITIVE DATA

Across all documents uploaded to file sharing services, the most
common type of sensitive content is confidential company data (e.g.
financial records, business plans, source code, trading algorithms,
etc.). A total of 7.6% of documents in file sharing services contain
confidential data. Thats followed by personally identifiable
information (e.g. Social Security numbers, tax ID numbers, phone
numbers, addresses, etc.) at 4.3% of all documents. Next, 2.3% of
documents contain payment data (e.g. credit card numbers, debit card
numbers, bank account numbers, etc.). Finally, 1.6% of documents
contain protected health information (e.g. patient diagnoses, medical
treatments, medical record IDs, etc.).

CLOUD ADOPTION RISK REPORT | Q4 2015

WHATS IN A NAME?
As recent high-profile data breaches demonstrate, cyber criminals
are seeking out documents containing company budgets, employee
salaries, and employee Social Security numbers. Their goal is often
to disrupt the operations of these companies or use this information
for financial gain. Its not uncommon for employees to use words like
bonus, budget, or salary in file names. The average organization
stores thousands of such documents in file sharing services.

Files Containing Keyword in the File Name

AVERAGE PER ORGANIZATION BY FILE TYPE

A surprising number of employees store passwords in Excel

spreadsheets, Word documents, and other formats in the cloud. As an
aside, security experts recommend against storing your passwords in an
unencrypted file labeled passwords.xlsx, whether in the cloud or on
your PC. People in IT security are not immune from this type of
risky behavior. For example, in the Hacking Team breach, it was
discovered that members of the IT security team stored critical
passwords in unencrypted files that were stolen by hackers.

CLOUD ADOPTION RISK REPORT | Q4 2015

Users also upload image and PDF copies of passports, PowerPoint files
with information on competitors, local database files from programs
such as Microsoft Access with employee salaries, and draft press
releases that could be used for insider trading. The average company
has hundreds of MSG and EML format email files containing sensitive
information, exported from email programs such as Outlook. When
exported, their file names usually contain the email subject.
In a later section well examine how many files are shared externally,
and how many are publicly accessible to anyone on the Internet.

Files Containing Keyword in the File Name

AVERAGE NUMBER PER ORGANIZATION ACROSS
FILE SHARING SERVICES

CLOUD ADOPTION RISK REPORT | Q4 2015

WORST EMPLOYEE OF THE MONTH

Across all users, 28.1% of employees have uploaded a file containing
sensitive data to the cloud. Depending on the sensitivity of the data
and the companys industry, this may be permitted, however, many
companies have compliance requirements that may be violated when
data is stored unencrypted in the cloud. These files may also be
publicly disclosed with the wrong collaboration settings. Illustrating
how much damage a single person can do, we ranked users by the
number of sensitive files they uploaded to the cloud this quarter.
The worst offender uploaded 284 unencrypted documents containing
credit card numbers to a file sharing service. In second place, a user
uploaded 46 documents labeled private and 60 documents labeled
restricted based on the companys document classification system.
Another user uploaded 88 documents containing Social Security
numbers. All three did so in violation of their respective companies
policies. Just one of these files could ignite a wave of lawsuits and
investigations if accidently shared publicly, highlighting the potential
risk of unmanaged file sharing

Sharing and Collaboration

Cloud-based file sharing and collaboration services such as Box,
OneDrive, SharePoint Online, Dropbox, ShareFile, and Google Drive are
popular. While they started by offering users the ability to synchronize
their files across devices, many of them are now full-fledged
collaboration platforms allowing users to share files and edit the
same file with other people around the world in real time. The average
company uploads 5.6 TB of data to file sharing services each month.
Overall, the average organization shares documents with 849 external
domains via these services.

CLOUD ADOPTION RISK REPORT | Q4 2015

FILE SHARING REACHES AN ALL-TIME HIGH

The percentage of files that are shared via file sharing services hit
an all-time high in Q3, 2015. Of all documents stored in file sharing
services, 37.2% are shared with someone other than the documents
owner. Thats higher than this same period last year, when 27.0%
of files were shared. One potential reason is that users increasingly
seek to use these services for sharing data with other people rather
than merely syncing files across their own devices. While enhanced
collaboration between colleagues and business partners is a positive
development, the ease with which sensitive data can be shared also
carries the risk that a sensitive file may be unintentionally shared too
broadly and outside of policy.

Sharing Within File Sharing Services

PERCENT OF FILES SHARED

CLOUD ADOPTION RISK REPORT | Q4 2015

WHEN SHARING IS ERRING

Of the 37.2% of documents that are shared, 71.6% are shared
internally with select users. A noteworthy 12.9% of shared documents
are shared with all employees within an organization. Another 28.2%
of these documents are shared with business partners. Of shared
files, 5.4% are accessible by anyone with a link. These links are easily
forwarded and can create risk since the organization cannot audit or
control who is viewing the document. Further, 2.7% of these files are
actually publicly accessible and indexed by Google.
Another way files can be shared externally is with personal email
accounts such as Gmail, Yahoo! Mail, and Hotmail. A total of 6.0%
of shared files are shared with personal emails. For files that are
shared externally (with business partners, personal emails, or publicly
accessible online), 9.2% contain sensitive data. Thats lower than
the overall average of 15.8% across all documents, but it shows that
organizations need to educate employees about the risks of sharing
certain types of data and enforce policies defining how and with whom
sensitive data can be shared.

Breakdown of Sharing Actions

PERCENT OF SHARED FILES WITH AN
ASSOCIATED SHARING ACTION

CLOUD ADOPTION RISK REPORT | Q4 2015

THE SHADOW CODE REPOSITORY

Despite the popularity of code repositories such as GitHub and
SourceForge, users also store files containing code in file sharing
services and rely on these services to send large files to other users.
The most common programming languages found in file sharing
services include JavaScript, Objective-C, and Python. The average
organization has thousands of code-containing files stored in the
cloud, and 14.8% of these files are shared externally.
Many of the individuals with sharing permissions for these files are
likely business partners. However, 6.1% of these files are accessible by
anyone with a link, increasing the risk that source code, financial trading
algorithms, and new applications under development could be exposed
if these links are forwarded more broadly beyond the users who initially
received them.

Most Common Programming Languages

AVERAGE NUMBER OF CODE-CONTAINING FILES
IN FILE SHARING SERVICES PER ORGANIZATION

10

CLOUD ADOPTION RISK REPORT | Q4 2015

Internal and External Threats

Owing to the scale of corporate data stored in the cloud today,
security incidents are no longer isolated to PCs and applications on
the network. The average organization experiences 19.6 cloud-related
security incidents each month. These events include insider threats
(both accidental and malicious), privileged user threats, compromised
accounts, and attacks that leverage the cloud as a vector for
data exfiltration.

Data Under Siege

PERCENT OF ORGANIZATIONS EXPERIENCING
THREATS BY THREAT TYPE

11

CLOUD ADOPTION RISK REPORT | Q4 2015

YOUR OWN WORST ENEMY

The average organization experiences 9.3 insider threat incidents each
month, and 89.6% of organizations experience at least one per month
on average. Insider threats include behaviors that unintentionally
expose an organization to risk, such as mistakenly sharing a
spreadsheet with employee Social Security numbers externally.
They also include malicious activity, such as exfiltration proprietary
The average organization
experiences 9.3 insider threat
incidents each month

data. Privileged user threats, such as administrators or privileged

users accessing data they should not, occur monthly at 55.6% of
organizations with the average company experiencing 2.8 each month.

COMPROMISED ACCOUNTS
Slightly more than two thirds of organizations experience account
compromises each month. On average, organizations experience 5.1
incidents each month in which an unauthorized third party exploits
stolen account credentials to gain access to corporate data stored
in a cloud service. Earlier research by Skyhigh has shown that 92%
of companies have cloud credentials for sale on the Darknet. Many
business-critical cloud services support multi-factor authentication,
and companies can reduce their exposure to account compromise by
enabling this feature.

DATA EXFILTRATION
In order to extfiltrate stolen data from on-premises systems of record
hackers are increasingly turning to public cloud services which are
often unmonitored. The average organization experiences 2.4 cloudenabled data exfiltration events each month and the average incident
involves 410.0 MB of data. One example weve uncovered is a cyber
attack in which malware that infected an employees laptop used
Twitter to exfiltrate the stolen data, 140 characters at a time, across
86,000 tweets.
The average data exfiltration
incident involves 410.0 MB
of data

12

CLOUD ADOPTION RISK REPORT | Q4 2015

Usage Trends
More cloud services are being launched every week and the percentage
of cloud services that are enterprise-ready increased this quarter. Put
together, organizations have never had more cloud apps to choose
from that provide robust levels of security for enterprise data. Cloud
adoption in the workplace continued to increase this quarter, albeit at a
slower pace than last quarter. Companies and employees both actively
use a greater variety of cloud services.

AVERAGE NUMBER OF SERVICES

The average organization now uses 1,154 cloud services, an increase of
6.6% over last quarter. Enterprise cloud services account for 72.9% of
the services in use by the average company, while consumer services
represent 27.1%.

Cloud Usage Over Time

AVERAGE NUMBER OF CLOUD SERVICES IN USE
PER ORGANIZATION BY TYPE

13

CLOUD ADOPTION RISK REPORT | Q4 2015

Collaboration continues to be the category with the greatest variety of

cloud services in use by a wide margin. The average organization uses
174 distinct collaboration services (e.g. Cisco WebEx, Evernote, etc.)
followed by 61 file sharing services (e.g. Dropbox, Google Drive, etc.)
and 57 development services (e.g. SourceForge, GitHub, etc.).
On the one hand, the multiplying number of cloud services that
companies use in each category indicates were in the early days of
the market as new entrants regularly emerge with better capabilities.
However, companies that use many redundant services in each category
can actually end up discouraging collaboration and introducing friction
as users must login to different apps to work with different teams.

Cloud Usage by Category

AVERAGE NUMBER OF CLOUD SERVICES IN
USE PER ORGANIZATION BY CATEGORY

14

CLOUD ADOPTION RISK REPORT | Q4 2015

The average employee actively uses 30 cloud services at work,

including 8 collaboration services, 5 file sharing services, and 4 content
sharing services (e.g. YouTube, Flickr, etc.). The cloud market is early
in its development, and while there are cloud services that stand
out in terms of user count (which well see later in the report), few
categories have a dominant provider. Users are still able to find unique
functionality to justify using several cloud services in each category.
The average employee uses 30
cloud services at work

SECURITY CONTROLS VARY BY PROVIDER

Across over 16,000 cloud services in use today, only 8.1% meet the
strict data security and privacy requirements of enterprises as defined
by Skyhighs CloudTrust Program. Digging deeper, we find that fewer
than 1 in 10 providers store data at rest encrypted, and even fewer
support the ability for a customer to encrypt data using their own
encryption keys. Encryption using customer-managed keys is rapidly
becoming a requirement for organizations to store data in the cloud
while meeting requirements dictated by industry regulations and
national data privacy laws.

15

CLOUD ADOPTION RISK REPORT | Q4 2015

Concerns persist about what happens to data once uploaded to a

cloud provider. Fewer than half of providers specify that customer
data is owned by the customer (the rest either claim ownership over
all data uploaded, or dont legally specify who owns the data). An even
smaller number of cloud providers delete data immediately on account
termination, with the remainder keeping data up to one year or even
claiming the right to maintain copies of data indefinitely. Very few cloud
providers commit to not share customer data with third parties, such as
advertisers or governments, unless under a legal order.

USAGE BY PLATFORM
Windows desktop users, on average, use a greater variety of cloud
services than any other platform. The average Windows PC accessed
18.3 distinct cloud services in September 2015. Thats 47.6% higher
than September 2014.

Cloud Usage by Platform

AVERAGE NUMBER OF CLOUD SERVICES IN USE
BY DEVICE TYPE

16

CLOUD ADOPTION RISK REPORT | Q4 2015

On average, Windows desktop users access 77.7% more cloud services

than the average Mac desktop user. Mac users accessed 10.3 services on
average at the end of the quarter.
Meanwhile, cloud usage on iOS is soaring. The average number of cloud
services in use on each iOS device surpassed Mac computers for the
first time this quarter. In the last 12 months, the number of services in
use on an average iOS device surged 88.1% to 11.1 distinct services
accessed per device per month. Android users access fewer cloud
services. The average Android device accesses 10.0 cloud services, an
increase of 81.8% over this time last year. Across mobile platforms,
cloud usage grew 62.9% year over year.
Another way to look at usage by platform is to examine the volume
of data users upload to the cloud. From this perspective, the average
Windows desktop user uploads more data than users of any other
device type. On mobile, Android users are much more prolific uploaders
than iOS or Windows Phone users. Users of Android devices upload on
average over three times as much data to the cloud compared with the
average iOS user.

Data Uploaded to the Cloud

AVERAGE AMOUNT OF DATA UPLOADED
PER MONTH BY DEVICE TYPE (MB)

17

CLOUD ADOPTION RISK REPORT | Q4 2015

The Top Cloud Services

In The Wisdom of Crowds, James Surowiecki explores the idea that a
large group of individuals are better at making decisions than an elite
few. While this assertion can be certainly be challenged, it led us to
look at the cloud services that attract the most active users as a proxy
measurement for the cloud services that have real-world utility for a
broad range of businesses.

18

CLOUD ADOPTION RISK REPORT | Q4 2015

TOP 20 ENTERPRISE CLOUD SERVICES

In Q3, 72.9% of the cloud services in use by the average company were
enterprise cloud services and these services accounted for 71.8% of
data employees uploaded to the cloud at work. Office 365 is the top
enterprise cloud service by user count, followed by Salesforce and
Cisco WebEx. From a security standpoint, the top 20 enterprise cloud
services are significantly more likely to have enterprise-class security
controls than the average enterprise cloud service (85% vs 9.9%).

Top 20 Enterprise Cloud Services

GLOBAL

19

CLOUD ADOPTION RISK REPORT | Q4 2015

TOP 20 CONSUMER CLOUD SERVICES

Consumer cloud applications accounted for 27.1% of the cloud
services in use in the average workplace and 28.2% of data businesses
upload to the cloud. Social media, content sharing, and collaboration
services dominate the top 20 list. Only one service on the top 20 list
is enterprise ready (5%) versus the overall average of 3.5% across
all consumer services. Its clear security isnt a strong factor in the
cloud service selection process for consumer services compared with
enterprise services.

Top 20 Consumer Cloud Services

GLOBAL

20

CLOUD ADOPTION RISK REPORT | Q4 2015

TOP 10 FILE SHARING SERVICES

Google Drive continues to occupy the top spot on our ranking of file
sharing services by number of active users for the third quarter in a row.
Its followed by Dropbox, Box, and OneDrive. This quarter, WeTransfer
surpassed 4shared to take the 8th spot on the list and Amazon FireDrive
returned to the top 10 list. We included both personal and business
users for each file sharing services in our use count.

Top 10 File Sharing Services

RANKED BY USER ACTIVE USER COUNT

21

CLOUD ADOPTION RISK REPORT | Q4 2015

TOP 10 COLLABORATION SERVICES

Microsoft Office 365, Gmail, and Cisco WebEx continue to take the first
three spots on the list of collaboration services this quarter. Yammer
has reclaimed the 5th position, overtaking Yahoo! Mail in user count.
GoToMeeting moved slightly down to the 7th position, however it is still
solidly higher in the rankings than this time last year. Prezi continued its
slide in ranking, dropping to the 10th position this quarter.

Top 10 Collaboration Services

RANKED BY USER ACTIVE USER COUNT

22

CLOUD ADOPTION RISK REPORT | Q4 2015

TOP 10 SOCIAL MEDIA SERVICES

The triumvirate of Facebook, Twitter, and LinkedIn still dominate the
social media category. Tumblr has continued to drive active users
following its acquisition by Yahoo! in 2013. Russian social media
service VK and Chinese site Sina Weibo round out the top 6. Myspace
overtook Foursquare for the 7th position this quarter.

Top 10 Social Media Services

RANKED BY USER ACTIVE USER COUNT

23

CLOUD ADOPTION RISK REPORT | Q4 2015

Our Methodology
To bring you these findings, we analyzed aggregated, anonymized cloud
usage data for over 23 million users worldwide at companies across all
major industries including financial services, healthcare, public sector,
education, retail, high tech, manufacturing, energy, utilities, legal, real
estate, transportation, and business services.
Collectively, these users generate over 2 billion unique transactions
in the cloud each day. We compiled their usage in an extensive cloud
activity graph, revealing trends in usage against behavioral baselines
across time. Our cloud service registry tracks over 50 attributes of
enterprise readiness and allows us to analyze behavior using detailed
data signatures for over 16,000 cloud services.

24

Get a free, personalized audit

of your cloud usage today

Well analyze your usage of shadow and sanctioned cloud

services free of charge and deliver a findings report summarizing:

Skyhigh allows us to have

more control over data security
by adding an additional layer of
protection beyond the typical
cloud service provider
can offer.
Jenai Marinkovic
Chief Security Officer

All cloud services in use and their associated risk

Sensitive data stored in the cloud and who has access
Collaboration and sharing with third parties
Potential insider threats and compromised accounts
Anomalous events indicating potential data exfiltration
Excessive user permissions and dormant accounts

Request a Complimentary
Cloud Audit
http://bit.ly/Q32015AuditOffer

To gain visibility and control over the cloud, contact us today.

1.866.727.8383 skyhighnetworks.com