Trend Micro on Tuesday released a study that said cloud computing was among the top two infrastructure risks for businesses. The other was organizational misalignment and complexity.
The biannual Cyber Risk Index (CRI) gave cloud computing a 6.77, ranking it as an “elevated risk” on the CRI’s 10-point scale. Many respondents say they spend "considerable resources" managing third-party risks like cloud providers.
Produced by the Ponemon Institute on behalf of Trend Micro, the CRI also found that 80% of global organizations report they are likely to experience a data breach that impacts customer data in the next 12 months. Ponemon based the study on surveys of more than 3,600 businesses of all sizes and verticals across North America, Europe, Asia-Pacific, and Latin America.
While security teams can’t fully mitigate risks related to cloud computing by technical controls alone, they can support organization-wide risk mitigation efforts and help to streamline these efforts, said Dirk Schrader, global vice president, security research at New Net Technologies, now a part of Netwrix.
“Configuration hardening and change controls will help to secure and harden any IaaS deployments,” said Schrader. “And account monitoring will help to identify dormant cloud service accounts, as well as manage data access and privacy, support compliance, and prevent the loss of data in case of cloud service misconfigurations.”
Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, added that as we've seen with the uptick in attacks on the supply chain just this year, third-party risk has grown exponentially as more organizations outsource their business needs. He said there's no catch-all option to manage cloud risk, and even when organizations do the right thing at home, they may find themselves at risk because of what's in the cloud or data in the hands of their vendor.
“Reducing risk requires evaluating everything from security posture to security tools and the critical data that may reside in the cloud to reduce risk," Nikkel said.
“Organizations should establish clear policies around configuring data and services in the cloud and audit them frequently. Also, it’s crucial to ensure your vendor and any downstream vendors keep things updated and secure with infrastructure and applications. Some of the most dangerous breaches occurred because of a relatively trivial problem with not having minimum security practices in place.”