Home Security Lax cloud compliance raises concerns about data breach legislation readiness

Digital security firm Gemalto last month released its “2018 Global Cloud Data Security Study” report, commissioning the Ponemon Institute to perform the research, surveying more than 3200 IT and IT security practitioners worldwide.

The survey reveals 95% of global companies have adopted cloud services but there is a wide gap in the level of security precautions applied in different markets.

Fifty-four percent of global organisations believe payment information is at risk in the cloud, and 49% believe customer data is at risk. Fifty-seven percent think using the cloud increases compliance risk, though this is reduced from 62% last year.

Perhaps part of the problem is revealed by the survey: companies admitted on average, only 40% of the data stored in the cloud is secured with encryption and key management solutions.

Interestingly, the survey revealed large regional gaps in their adoption of, and attitude towards, cloud security. German businesses were 61% likely to secure confidential or sensitive information stored in the cloud. The figures plummeted for British (35%), Brazilian (34%) and Japanese (31%) organisations.

“While it’s good to see some countries like Germany taking the issue of cloud security seriously, there is a worrying attitude emerging elsewhere,” said Jason Hart, chief technology officer, Data Protection at Gemalto. “This may be down to nearly half believing the cloud makes it more difficult to protect data, when the opposite is true.

Fortunately, 77% of organisations across the globe recognised the importance of being able to implement cryptologic solutions such as encryption and 91% believe this will become more important over the next two years.

Graeme Pyper, regional director, Australia and New Zealand, Gemalto, said “The reasons why people are using the cloud has not really changed – pretty much all the decisions to go to cloud-based services are to do with reducing cost and time to delivery. However, if you are delivering something faster you have less opportunity to do your due diligence before you start consuming.”

pyper new“What jumped out for me,” Pyper says, “was 73% of Australian respondents said they were committed to protecting the information they have in the cloud. However, when you delve deeper into the numbers only half of that 73% have people and policies in place to manage the security of the information in the cloud. That’s a large number of companies using the cloud without any controls whatsoever and that concerns me.”

Pyper adds, “Thirty-five percent of Australian companies were proactive in terms of looking at security within cloud-based services. That didn't seem to be an awful lot to me. Normally the organisations I deal with have a framework for security and risk governance. Instead, the agile framework of the cloud has people going through a very assuming or tick-box exercise where they simply say ‘our cloud security is good enough’.”

Pyper emphasis this point by referring to data breaches that occurred over the last 12 months. “A lot of it is down to human error when someone hasn’t changed the default password on an account.”

“If only 35% of companies are looking at the security assessments then there’s an awful lot of applications people aren’t looking at, at all, so there is so much more to be done there,” Pyper says.

Eighty-eight percent of respondents believe the new General Data Protection Regulation will require changes in cloud governance, and 37% said it would require significant changes. Seventy-five percent of companies reported it is more complex to manage privacy and data protection regulations in the cloud than on-premise, particularly France (97%) and the US (87%).

Worryingly, only 25% of IT and IT security practitioners said they were very confident they knew all the cloud services their business is using. This was especially pronounced in Australia (61%), Brazil (59%) and Britain (56%).

Perhaps to mitigate their concerns over not knowing all the "shadow IT" apps on their network, 81% of companies said having the ability to use strong authentication methods for cloud-based data and applications was essential or very important. This was strongest in Australia (92%) followed by India (85%) and Japan (84%).

In Australia, the big news is the imminent data breach amendment to privacy rules, and the research raises concerns. “I’m reluctant to say everybody is ready for that,” Pyper says. “I don’t think people have done enough to protect the information they’re putting in places where they have lesser control.”

“Companies really need to up their game from lip service to encryptable security, on-premises or in the cloud.”.

It’s very important, Pyper says, to make sure your company follows this process:

  1. classify your data and determine, based on your risk appetite, what you put where;
  2. perform a cloud security assessment;
  3. implement strong authentication;
  4. implement encryption, no matter where your data resides; and
  5. manage your own encryption key yourself, on-premises.

This latter step means you can move encrypted data from one cloud provider to another without exposing it. “You’re not giving your house keys to your next-door neighbour so they can water the plants,” Pyper says.

Some companies might say they have no time to classify, or they will do it over time but have to put their application in the cloud now. “The simple answer,” Pyper states, “is if you’re going to be using the cloud or any other third party you need to ensure you’ve encrypted your data either at source or rest. Generally, if information is lying around, that’s the point where it is vulnerable.” 

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect