Recent studies by large firms such as McAfee and Gemalto have found that 79% of companies store sensitive data in the public cloud, but 65% are unable to analyse all the data they collect and only 54% of companies know where all of their sensitive data is stored.
They have also found that thousands of cloud services are used ad-hoc without vetting (i.e., circumventing an organisation’s official approver and procurer of cloud services (usually an IT Department) and procuring cloud services of their own accord (referred to as “shadow IT”).
In addition, 52% of companies use cloud services that have had user data stolen in a breach.
McAfee’s study also found that 26% of files in the cloud contain sensitive data. Yet 91% of cloud services do not encrypt data “at rest”; meaning data isn’t protected if the cloud provider is breached.
This is a concern given that a non-technical Board member or Senior Executive would naturally assume that a cloud service provider would provide high levels of security and protection. The study shows that this is not always true. Only last week, Microsoft reported a breach of millions of customer records. Security breaches can happen to the best of them.
It is up to the client organisation (i.e. the entity using the cloud service) to apply and/or request (and pay for) additional security controls. However the study also found that 30% of organisations lack the staff with skills to secure their Software-as-a-Service cloud applications.
Other studies, such as those conducted by Gartner and Verizon, have found that human error, complicated controls and rushed IT projects, in addition to the lack of in-house skills, are the greatest causes of data breaches stemming from the use of cloud services.
It often pays to bring in expertise to work with in-house IT personnel to ensure that security, privacy and availability are “built-in” from the start. Thereafter, an annual independent security check (or sooner if significant changes are applied) is well worth the investment.