Businesses admit they are unsure if certain pieces of corporate information are stored on company servers or on those of their cloud providers, new research found.
Cloud-based services are continuing to climb and businesses are rapidly adopting them to leverage cost savings, but the research shows this is leaving them unable to safeguard and account for business data, which puts them at risk to the effects of a potential third-party data breach, according to research from Kaspersky Lab.
“Today, businesses are leveraging cloud infrastructures more than ever because of the efficiency and flexibility to the organization, but this digital business transformation is presenting new questions around where data resides and how it’s being secured,” said Rob Cataldo, senior director of enterprise sales at Kaspersky Lab North America. “When making the critical decision of which third-party providers to work with, businesses not only need to reevaluate their own cloud security posture, but they also need to have a discussion with third-party providers about their cybersecurity policies and treat the relationship as a business risk that needs to be continuously managed.”
Cloud services are enabling companies to take advantage of key technologies to support day-to-day operations and growth plans – without having to worry about maintenance or a hefty price tag, according to the report. Along those lines, 78 percent of businesses are already using at least one Software-as-a-Service (SaaS) based platform, and 75 percent are also planning to move more applications to the cloud in the future. When it comes to Infrastructure as a service (IaaS), 49 percent of enterprises and 45 percent of SMBs are looking to outsource IT infrastructure and processes to third-parties.
However, the adoption of cloud services is also making it hard for organizations to achieve a well-defined security strategy, since the uncertainty around who is responsible for the security of corporate sensitive data in the cloud becomes a challenge. Research found 70 percent of businesses using SaaS and cloud service providers have no clear plan in place to deal with security incidents which could affect their partners. In addition, 24 percent admit to not even checking the compliance credentials of their service provider, which shows an assumption they will pick up the pieces if something goes wrong.
However, with 24 percent of businesses having experienced a security incident affecting the IT infrastructure hosted by a third-party over the past year – and 47 percent of those affected suffering data loss, leakage or exposure as a result of the third-party cloud infrastructure breach – a reliance on cloud providers alone to protect sensitive corporate data is risky.
The lack of planning and accountability of sensitive data by cloud adopters could have serious consequences for businesses, with enterprises suffering an average $1.2 million financial impact as the result of a cloud-related security incident, compared to $100,000 for SMBs. Where data has been compromised as the result of a third-party incident, the top three types of data to be affected were:
• Highly sensitive customer information (49 percent of SMBs, 40 percent of enterprises)
• Basic employee information (35 percent of SMBs, 36 percent of enterprises)
• Emails and internal communication (31 percent of SMBs, 35 percent of enterprises)
Businesses need to find a better way to control and protect their sensitive corporate data. To do so, companies need find anomalies within their cloud infrastructures, which can only be achieved through a combination of techniques including machine learning and behavioral analytics.
The ability to identify and defend against unknown threats is fundamental to cloud infrastructure security.