Could non-disclosure agreements be the missing cloud security link?

Files with lock

I know that Microsoft TechEd is a distant memory for most people now, but during that particular vendor-specific and generally rather incestuous conference back in June a universal truth was extracted.

A survey of more than 120 companies taking part in the TechEd event revealed that almost 30 per cent of employees are using personal cloud services to store work-related data, and 5 per cent are uploading what they admit to being confidential data in amongst it. The fact that data is being leaked beyond the managed enterprise boundary is, of course, no surprise at all. The whole BYOD phenomena has, as I mentioned earlier in the year, led to a sub-culture of BYOC (Bring Your Own Cloud) or 'Rogue Clouds' if you prefer, that runs rife through a huge swath of enterprises - ones who really should know better.

As I said in my rogue cloud rant, security doesn't have to be thrown out of the window in this very real-world scenario, but rather "some thought has to be given how best to merge governance and compliance with so-called shadow usage into a workable and secure strategic framework." In other words, the risks of the rogue cloud need to be mitigated. Back then I was insisting that one of the best ways of ensuring such risk mitigation was to have a positive CEO who embraced the whole BYOC culture rather than rejects it. The reasoning being gob-smackingly simple: say no and people will continue to find ways of using it but outside of any corporate security strategy remit, say yes and you can advise how best to use it safely.

And this is where the universal truth thing comes to the fore, courtesy largely of Varonis Systems which conducted that TechEd survey back in June. You see, what Varonis did in addition to just asking the 'so do you upload confidential stuff to a personal cloud service, numbnuts?' question (I may be guilty of paraphrasing here) was to attempt to discover how those enterprises questioned were trying to deter employees from taking this data with them when they left the company.One simple comment from David Gibson, VP of Marketing at Varonis, set the wheels of revelation in motion: "We were surprised by the low awareness level of NDAs among employees." This prompted me to ask myself whether the good old, and oft-forgotten, non-disclosure agreement could be the answer to cloud security? Or at least whether it should be a more targeted and implemented part of it. Just about every employee will sign a NDA as part of the contract of employment or an acceptable use policy or during the 'onboarding process' according to Gibson (what he means here is the inductio nprocess, that introductory meeting where the only bit you remember is where the toilets are).

The acceptable use policy is quickly forgotten, until you breach it and only then if the company in question has some kind of process in place to monitor such breaches and a security strategy which formally incorporates how to deal with them. The NDA, in all honesty, stands about as much chance of being remembered as, erm, I forget...

So, Gibson is spot on when he says that in order to improve the confidentiality obligation memory of employees "NDA awareness should be part of a comprehensive IP protection program that also includes employee training along with the implementation of proper access and security controls for sensitive, non-public data."

It's not exactly rocket-science, and it amazes me that NDA awareness isn't higher up the cloud security strategy value chain. The Varonis figures suggest that bringing the legal risks of uploading sensitive data to the personal cloud into focus for employees via a NDA can reduce the numbers who do so from an average of 18 per cent of the workforce to 13 per cent. Not brilliant, but it's a start and that 5 per cent reduction has to be seen as being just part of a more pro-active awareness programme. The fact that some 44 per cent of employees asked said they had not signed a NDA surely shows that it's an area that is ripe for improving and could quickly show a security return on the very small investment needed.

Asking your employees to delete (or return) any corporate data stored outside of the business when they leave, by way of an exit interview for example, would also work.

After all, there is no longer anything to fear over having been breaking the rules; what are you going to do, sack them? Unfortunately, fewer than half of employees (46 per cent) were asked to do this according the survey. As is often the case when it comes to in-cloud security strategy, as with any other, the simplest and smallest of details are the ones so often overlooked yet which can, oh so ironically, have the biggest impact...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.