Most cloud apps flout EU data protection rules – study

Data Protection Directive not passed yet, though...

Three in four cloud services do not conform to the current EU Data Protection Directive, according to a new study.

Enterprise cloud visibility firm Skyhigh Networks found that nearly three-quarters (72 per cent) of the cloud services used by European organisations do not meet the requirements of the current privacy regulations, with data being sent to countries without adequate levels of data protection. The transfer of personally identifiable information outside Europe meant many services were operating at odds with the EU Data Protection Directive.

IT lawyer Dai Davis, a solicitor at Percy Crow Davis & Co, said that Skyhigh's estimate is possibly on the low side.

"If anything 72 per cent is an underestimate," Davis told El Reg. "If you include 'social media used by European organisations' the figure would go up to 100 per cent. As to what to do about it, the short answer is use a German or Swiss-based company, those being the countries that take data protection most seriously."

EU Data Protection Regulations are yet to be approved by EU member states in the Council, so they haven't come into force as yet, as our Brussels correspondent recently noted.

Skyhigh said that with stricter policies and harsher penalties set to come into force soon, organisations have just a short window to address privacy compliance issues. This is a particular challenge because many organisations are already struggling to enforce existing acceptable usage policies.

For example, workers often find their way around blocks set up by corporate sys admins to access supposedly blocked services. Dropbox, Instagram, Tumblr and Apple iCloud in particular are widely used within corporates despite been nominally blocked by IT teams.

Skyhigh's latest quarterly European Cloud Adoption and Risk Report, which is based on an analysis of real-life usage data from more than one million users in organisations from many industry sectors, found that just 15 services sucked up 80 per cent of cloud data. Microsoft Office 365, followed by Salesforce, are the biggest bandwidth hogs in this category. Skyhigh's report showed a slow uptake of enterprise cloud services in Europe, with more than 50 per cent of data being uploaded to consumer services.

During the same period, the number of cloud services in use by the average company in Europe increased by 23 per cent, rising from 588 in Q2 to 724 in Q3. Many of these services are not enterprise-ready. Only 9.5 percent of all services met the most stringent security requirements including strong passwords and data encryption, in a survey put together by Skyhigh in co-operation with industry group the Cloud Security Alliance.

Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps, so it obviously has a vested interest in talking up the risk from a class of threat its software is designed to manage. That's not to say that the firm is wrong in warning about insecure cloud app usage in enterprises, which it is all too easy to believe may be running out of control in many cases.

"The Regulations are now well over a year behind schedule," Davis explained. "Whether the present proposals will finally be approved remains to be seen."

He added: "Amongst other objections, my understanding is that the UK and Ireland don’t want a new Regulation, only a (weaker) Directive. Whatever happens, the new law will be at least another two-and-a-half years before it comes into force, because a two-year transition/implementation period has been promised." ®


An Irish government spokesman got in touch with the Register on 24th October to say: "We wish to advise that from the outset of the negotiations on the EU data protection reforms, Ireland has recognised the need for, and has supported, the proposal for a Regulation. Such a Regulation can ensure a more consistent application of data protection standards across the EU; a single set of standards for a single digital market."

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021