Cloud Security Alliance researchers on Thursday reported that only 39% of organizations surveyed say they have high levels of confidence in their ability to secure cloud data, while only 4% report sufficient security for 100% of their data in the cloud.
The survey also found that third parties, contractors, and suppliers are the most commonly targeted groups (58%) in cyberattacks. And some 92% that have already experienced a data breach believe they will experience another breach of cloud data in the next 12 months.
"Cloud data security is top of mind for organizations of all sizes, showing that many organizations are unprepared to deal with the unique challenges of securing data in the cloud, said Dimitri Sirota, co-founder and CEO at BigID, which worked with the CSA on the survey. “With the rapid growth of cloud, it's essential that organizations take steps to improve their cloud data security posture.”
Dave Burton, CMO at Dig Security, added that the vast majority of organizations do not even know what data they have and where it’s stored, so estimating how much of that data has sufficient controls is most likely not an accurate number, it’s an estimate at best. Burton said even for the 4% of organizations reporting sufficient security for all of their data in the cloud, that posture has already changed because of the elasticity of the cloud.
“Data needs to be monitored continuously not only for posture, but also for active threats against sensitive data,” Burton said. “Data detection and response complements data security posture management to ensure proactive controls are in place to protect data.”
John Bambenek, principal threat hunter at Netenrich, added that like most new technologies, there was a rush to adopt before there was really an understanding of the risks and how to secure sensitive information. There has always been frustration with change management controls, security reviews, and audit controls slowing teams down, said Bambenek.
“Now with DevSecOps (where the Sec is silent) organizations have to be content with teams just going straight to the cloud (or worse, shadow IT) where traditional tools like network security and DLP are limited,” Bambenek said. “Slogans like ‘move fast and break things’ are held up as the ideal because those who move fast don’t have to contend with the consequences of what they broke.”