In its latest report, the Cloud Security Alliance reveals clear security concerns about protecting sensitive data in the cloud. A full 96% of all security managers surveyed say that their company's sensitive data is not adequately protected in the cloud.
In a recent survey, 1,663 IT and information security professionals around the world and of varying sizes were asked about the current state of cloud security in their organisations. The results are revealing and show a gloomy picture: because according to the survey, 86% of all experts say they have a high or medium-high level of confidence in their own abilities and those of the organisation to secure data in the cloud. Nevertheless, only 4% of the companies conclude that their sensitive data is also sufficiently protected in the cloud. However, the survey does not reveal how this startling difference between the effective implementation of security measures and self-assessment of capabilities comes about - but it does reveal some other revealing findings.
Loose access restrictions are standard
One possible explanation, at least in part, is access rights to sensitive data. In most companies, for example, suppliers have almost as much access to particularly sensitive data as the company's own employees. More than 25% of companies report that up to three quarters of their entire staff and suppliers have access to sensitive company data. Especially against the background of the cyberattacks on the supply chain that have recently become known, this should give pause for thought and it is advisable to consider tougher restrictions.
Data breaches with major consequences are commonplace
Indeed, 49% of all companies’ report having had a data breach or even a data loss from the cloud in the last 12 months. This, combined with the high confidence in cloud security capabilities, suggests that the complexity of cloud environments is increasing, making a universal data strategy more difficult. In fact, almost all companies use at least two or three cloud solutions (IaaS as well as PaaS) to store their data. A look into the future is not exactly optimistic either, with 62% expecting another data breach or data loss in the next year. This is remarkable because the biggest impact of these breaches is financial and legal. In third place, still with a high impact, is a damaged image of the affected company. The top 3 impacts are thus all business-critical, confirming once again that cyber risks must be monitored constantly and not only within IT, but as part of business risks.
Lack of data protection strategies without encryption and DLP
Despite the known and potentially devastating risks, ongoing risk analysis is part of only 23% of all data protection strategies. The most integrated components are backup and recovery (33%), process audits (32%) and compliance with standards and regulations (31%). And although Zero Trust is on everyone's lips, only 19% of companies consider the framework in their data protection strategy. Data encryption, which is considered the basis of data security, is also only considered by around a quarter of companies, and important measures to prevent a loss, such as data loss prevention (DLP), are also insufficiently implemented.
Sensitive data should not only be stored in the cloud
Many companies still have a long process ahead of them to optimally protect sensitive data in the cloud. And above all, it is a process that will never be completed: Because it is necessary to constantly adapt to the changing framework conditions due to new technology and organisation. Sometimes, however, the best or even necessary solution is to store data outside the cloud. Today, there are many simple solutions for DLP and encryption. The simplest and most secure is still to create an encrypted offline backup. In this way, any company can easily and effectively protect itself against a data loss without significantly increasing the complexity of the systems. Thanks to innovative technology, it is also possible not only to create an offline backup with encrypted devices such as an external SSD or HDD, but also to store an encrypted backup in a public cloud at the same time and without additional effort via the device. This means that essential and effective principles of data protection have already been implemented.