As anyone with a Dropbox or Google Drive account knows, consumer-grade cloud storage and collaboration services are a convenient way to store and share personal photos, music, video and documents. Employees who use these cloud services outside the workplace naturally want their convenience and ease of use inside the workplace. So they often turn to familiar consumer-grade offerings. In a recent study by cybersecurity company Stroz Friedberg, more than half of information workers surveyed uploaded corporate documents and data to their personal cloud storage accounts.
This phenomenon is frequently referred to as BYOC--Bring Your Own Cloud. As with the more familiar Bring Your Own Device--BYOD--phenomenon, employee adoption of BYOC can offer certain benefits to a company, including greater productivity and increased employee satisfaction. They also eliminate purchasing or supporting equivalent corporate solutions.
But those benefits can come with serious drawbacks. This article will discuss the dangers presented by BYOC and suggest steps that companies can take to manage and mitigate their exposure.
BYOC: RISK IN THE FORECAST
Theft or loss of intellectual property
One of the most common--and dangerous--risks of a laissez-faire approach to BYOC is theft of trade secrets and other proprietary data. It often arises when employees leave and use corporate documents they've stored in BYOC accounts for the benefit of a new employer.
Indeed, numerous recent trade secret theft cases indicate that BYOC accounts are becoming the preferred means for departing employees to steal sensitive corporate documents. These cases typically involve sensitive materials such as customer lists, pricing and financial data, and proprietary technical specifications. In some, the employee's resort to BYOC was unknown and unauthorized. But in others, the company condoned the use of BYOC accounts without considering the consequences of when the employee departed.
Data breach and regulatory violations
Another significant BYOC risk is the violation of federal, state or international privacy and data security laws. These laws vary significantly in their scope and requirements, but all obligate companies to take certain steps to protect personal information from unauthorized use or disclosure.
Many require that companies take steps to ensure that third parties who receive this information are bound to protect it. Almost all impose some duty to notify individuals or regulators in...