The growing use of cloud services and the lack of visibility into sensitive information in the cloud can result in more damaging or costly data breaches, according to a survey by a cloud security company and the Ponemon Institute.
The survey found that the majority of enterprises have not or do not know if they inspect their cloud services for malware. Considering that Netskope research estimates that less than five percent of cloud services are sanctioned, it is unlikely respondents are inspecting all potential services (sanctioned and unsanctioned), raising the possibility that the portion of cloud services that contains malware is even larger.
The findings also suggest that while 36 percent of business applications are now stored in the cloud, fewer than half of them are known, officially sanctioned or approved by IT. While respondents understand the risk of data breaches, nearly a third could not determine if they had been breached or what types of data were lost in the breach(es).
Sanjay Beri, founder and CEO, Netskope said: “These data confirm that while cloud adoption is very much on the rise, organisations still lack confidence in the cloud’s ability to protect sensitive information. With the rise of cloud threats like accidental data exposure, malware and ransomware aimed at exfiltrating data and extracting financial gain from sensitive data, IT teams need more robust intelligence, protection, and remediation to protect their data from breach or loss.”
Over half of respondents say the use of cloud services significantly increases the likelihood of a data breach, yet the majority have neither visibility nor have they taken the correct precautions to prevent breaches involving cloud.
● Nearly 20 per cent cannot determine if they experienced a breach or not, indicating a significant lack of insight into security policies and data currently stored in the cloud.
● For companies that did experience a data breach in the last year (19 per cent), 38 per cent say it was the cloud service itself that was breached. However, 30 per cent don’t have any idea how the breach occurred, and 33 per cent could not determine what data were lost or stolen.
● Malware is a significant source of data breaches as well: 36 per cent of respondents experienced a malware attack in the last year, but almost half (44 per cent) do not inspect the cloud for malware, and 11 per cent are unsure if they do.
● Of those organisations that do inspect the cloud for malware, 55 per cent of respondents say they found malware in the cloud.
Cloud adoption is on the rise. A recent forecast from 451 Research predicts that three in five (60 per cent) of enterprise workloads will run in the cloud by mid-2018, up from two in five (41 per cent) now. This report found that as more software and business applications move to the cloud, knowledge about what applications are in the cloud decreases, putting confidential and sensitive information at risk.
● The estimated percentage of software applications in the cloud has increased from 31 per cent in 2014 to 36 per cent in 2016. Apps that are known, officially sanctioned or approved by IT decreased from 33 per cent to 30 per cent, indicating cloud adoption may be outpacing security measures.
● When asked what cloud security risks are most concerning, 59 per cent of respondents say it is the possibility of experiencing compliance violations and regulatory actions and 50 per cent say it is the loss of control and the ability to influence end-user actions.
Impact of data breaches
Companies were asked to estimate the cost of data breaches involving the loss of 100,000 or more customer records within the last 12 months. They calculated a customer information breach would have cost them almost $16 million, taking into consideration the cost of remediation and technical support, lost business opportunities, and lost productivity because of downtime.
● The largest cost (40 per cent) is damage to reputation and brand, with companies estimating a spend of $6.20 million.
● Clean up and remediation spend was about $3.27 million, while damage or theft of IT assets and infrastructure accounted for just under a million dollars per year.
● For a data breach associated with intellectual property, damage to reputation and brand value again represents the largest estimated data breach cost component, at $4.68 million, nearly half (44 per cent) of the total estimated cost of $10.22 million. 38 per cent believe there is more than a 10 per cent chance of an IP-related data breach happening in the next year.
Respondents were asked to estimate the likelihood of a data breach when considering a number of IT scenarios involving an increased use of the cloud. The growing use of cloud services (SaaS) and the increase in backup and storage of confidential data in the cloud is most likely to cause a data breach in the cloud:
● 81 per cent believe an increase in cloud services usage of 50 per cent within the next year will increase the probability of a data breach. 86 per cent agree a 50 per cent increase in backup and storage of sensitive information in the cloud would also increase the probability of a data breach.
● Early cloud adopters are still skeptical: 40 per cent believe their cloud service providers enable security technologies to protect and secure sensitive or confidential information, and only 29 per cent believe cloud apps are in full compliance with privacy and data protection regulation and law.
Methodology
Netskope and Ponemon Institute surveyed 575 IT and IT security practitioners in 15 European countries who are familiar with their company’s usage of cloud services. This study was also conducted in 2014. Visit https://resources.netskope.com/h/i/294321081-cloud-malware-and-data-breaches-in-north-america-2016-study.
