No matter what your company’s official position is on the use of cloud services, your employees absolutely depend on them as part of their day-to-day work. The problem: the services they tend to use usually aren’t the ones you want them to use. A 2015 study of cloud usage found that employees were using 15 times more cloud services than their IT departments estimated or authorized; an average company also uses over 1,100 cloud services, of which just 8% meet the data security and privacy requirements of enterprises.

In light of this, it’s no surprise that data breaches from cloud services happen frequently. An October 2016 Ponemon study of nearly 650 IT professionals in North America found that of 31% of companies that had a data breach in the last year, 48% were caused by users exposing data intentionally or accidentally from a cloud service. Over half of respondents said that they didn’t have visibility or appropriate security controls to prevent breaches from the cloud.

The explosive use of personal devices has further blurred the lines of enterprise influence, increased the attack service and made it challenging for IT to maintain the levels of visibility and control that they require. And with the blurring of personal and corporate activities on these devices increasing exponentially, the likelihood of cloud breaches also increases.

But how exactly do cloud breaches happen? Let’s take a closer look at some of the actions that compromise data in the cloud.

Employees using risky cloud services: people often choose cloud services based on usability without taking security into consideration. Some cloud services have significant security gaps, such as not encrypting data within the service, or having terms of use that assume ownership of all content uploaded to it, which can expose corporate data to unauthorized users.

Uploading sensitive or regulated data into the cloud: according to a recent Cloud Adoption and Risk Report, 16% of all documents uploaded to cloud-based file sharing services contain sensitive or regulated information, such as financial records, business plans, source code, trading algorithms, and personally identifiable customer information such as social security numbers. Employees utilizing shadow IT services may not be aware of the sensitivity of the data or use proper discretion when uploading data to these services. Again, this can expose sensitive data and result in the organization being out of compliance with industry regulations.

Staff smuggling data via cloud services: malicious insiders pose a substantial risk to enterprises because they have access to sensitive data and can potentially leak it outside the company’s control via shadow IT services.

Compromised login credentials: research has found that over 90% of companies have had employee credentials for cloud services compromised, and made available for sale on the darknet. Credentials can be compromised either because of weak passwords, spear phishing attacks or malware that surreptitiously logs and captures passwords.

Mitigating these threats is a challenging especially because in many cases, IT teams are not aware of exactly which, or how many, unapproved cloud services employees are accessing and using from their corporate endpoints or personal devices. However, enterprises can implement and enforce a control point on employees’ use of cloud services, using cloud access security brokers (CASBs).

CASB solutions enable enterprises to get visibility of the data and applications employees are accessing and using, and to enforce consistent policies across all cloud services. This enables corporate IT teams to detect accidental or malicious threats from insiders and compromised accounts, and to maintain compliance by enforcing data loss prevention policies, encryption and contextual access controls across all cloud services.

CASBs also integrate with existing enterprise network security tools such as next generation firewalls (NGFW) and SIEM products, supporting established security operational policies and workflows. CASBs help to extend these policies and workflows to the cloud, adding insight and control to employee cloud service usage. Here’s how CASBs mitigate the risks from the four actions that compromise data which we identified earlier.

Blocking risky cloud services: CASBs work together with NGFWs to gain visibility into all cloud services accessed by employees, along with their risk ratings. IT teams can use this information to apply policies to block access to risky services, minimizing the risk of data loss through interception or theft. Where there is an authorized alternative service available, the CASB can use real-time prompts to encourage employees to use the approved solution, while restricting access to the shadow IT service.

Sensitive data uploads: using a CASB with NGFW, organizations can define data loss prevention policies that detect sensitive data being uploaded to shadow cloud services, and block files and data being transferred to the cloud.

Stopping staff smuggling: CASBs give insights into anomalous and unauthorized cloud usage, as well as develop user behavior models and baselines for normal activity. As such they can detect unusual spikes in data uploads or downloads that may indicate data exfiltration activity. For example, repeated attempts to access blocked services and a download from a sanctioned service followed by an upload to a shadow IT service are activity patterns that a CASB can capture and detect. When alerted, IT can immediately respond to this threat by blocking access to the user or cloud service using their next generation firewall.

Compromised credentials: CASBs can tap into darknet intelligence to identify user credentials that are compromised and alert the corporate IT team, who can then disable or update the corresponding user accounts.

Using this approach, organizations can close security gaps and protect sensitive information, while encouraging use of approved, efficiency-enhancing cloud services – effectively stopping their critical data raining from the cloud.