May 31, 2019

Analysis by researchers at cybersecurity company Digital Shadows suggest there are some 2.3 billion personal files sitting unprotected online.

The tally includes sensitive information like payroll data, credit card details, patient data, and intellectual property – all exposed publicly.

The lack of even basic information security puts people and organisations at risk of identity theft, corporate espionage, fraud, and other malicious activities.

Most of the highly sensitive information is stored in publicly accessible or misconfigured cloud servers, including Amazon S3 buckets, SMB file shares, and rsync servers used to synchronise files between user devices and cloud servers.

Worryingly, the 2.3 billion figure is an increase of 750 million over the company’s 2018 analysis, where 1.5 billion files were shown to be exposed – that’s a 50 percent increase in files at risk of loss or exploitation due to servers not properly setup and managed by their owners.

Topping the list of sensitive file types are:

  • More than 4.5 million medical files, most of those medical imaging files
  • Personal data like name, date of birth and insurance details were attached to the medical images, potentially enabling identity theft and extreme invasions of privacy.
  • In another case a server exposed everything an attacker would need to easily steal one user’s identity — photos, bank statements, even a passport scan.
  • There was even one case of an IT consultancy leaving 212,000 files belonging to clients open to public access — including documents full of usernames and passwords that could easily be used for criminal ends.

Researchers also found SamSam ransomware on some of the exposed servers, including those holding data for a large US university.

Still getting to grips with software-as-a-service

One of the things driving the spike in unprotected data is that organisations are rapidly transitioning to cloud-based software and services.

The learning curve is obviously steep, and many are still struggling to properly configure their servers and protect data after migrating it to the cloud.

In 2019 a reliable cloud services provider should be as secure as a state-of-the-art on-premise corporate data centre .

Concerns about security held back cloud adoption in the beginning, so vendors had to get their collective act together to convince businesses to leave their on-premise data centres behind.

That’s resulted in significant investment to make cloud systems more bulletproof. In fact cloud vendors devote as much as 75 percent of their collective R&D spend on improving security systems.

In cyber terms though Cloud may be a victim of its own success.

As more companies migrate entire IT infrastructures over to cloud providers like Amazon and Microsoft, use of services like DropBox and Google Drive are on the rise

Data stored in the cloud has strong protections, but as the Digital Shadows study demonstrates – someone has to actually turn those protections on.

On-premise or in the cloud, people are the success factor

The problem researchers have identified isn’t bad security, its bad decisions.

Missing a crucial security setting for server file access, or not investing enough in training those people charged with managing a company’s cloud services are organisational issues, not technological.

In the end, files held in the cloud are as safe as the people who store them there, enable them to be.

At home or at work, the strength of cybersecurity defences often depends on how empowered people are with security awareness.

If employees can be trained to understand the potential weaknesses in cloud security, and sustain their level of awareness, the risk of cloud breach can be reduced.

Harvard Business Review has said that better training is the best cyber security investment a business can make. In the cloud or in the office, empowering your people is the best way to keep personal data from being exposed online.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: