Security Market Segment LS
Saturday, 17 February 2018 22:14

Lax cloud compliance raises concerns about data breach legislation readiness


Digital security firm Gemalto last month released its “2018 Global Cloud Data Security Study” report, commissioning the Ponemon Institute to perform the research, surveying more than 3200 IT and IT security practitioners worldwide.

The survey reveals 95% of global companies have adopted cloud services but there is a wide gap in the level of security precautions applied in different markets.

Fifty-four percent of global organisations believe payment information is at risk in the cloud, and 49% believe customer data is at risk. Fifty-seven percent think using the cloud increases compliance risk, though this is reduced from 62% last year.

Perhaps part of the problem is revealed by the survey: companies admitted on average, only 40% of the data stored in the cloud is secured with encryption and key management solutions.

Interestingly, the survey revealed large regional gaps in their adoption of, and attitude towards, cloud security. German businesses were 61% likely to secure confidential or sensitive information stored in the cloud. The figures plummeted for British (35%), Brazilian (34%) and Japanese (31%) organisations.

“While it’s good to see some countries like Germany taking the issue of cloud security seriously, there is a worrying attitude emerging elsewhere,” said Jason Hart, chief technology officer, Data Protection at Gemalto. “This may be down to nearly half believing the cloud makes it more difficult to protect data, when the opposite is true.

Fortunately, 77% of organisations across the globe recognised the importance of being able to implement cryptologic solutions such as encryption and 91% believe this will become more important over the next two years.

Graeme Pyper, regional director, Australia and New Zealand, Gemalto, said “The reasons why people are using the cloud has not really changed – pretty much all the decisions to go to cloud-based services are to do with reducing cost and time to delivery. However, if you are delivering something faster you have less opportunity to do your due diligence before you start consuming.”

pyper new“What jumped out for me,” Pyper says, “was 73% of Australian respondents said they were committed to protecting the information they have in the cloud. However, when you delve deeper into the numbers only half of that 73% have people and policies in place to manage the security of the information in the cloud. That’s a large number of companies using the cloud without any controls whatsoever and that concerns me.”

Pyper adds, “Thirty-five percent of Australian companies were proactive in terms of looking at security within cloud-based services. That didn't seem to be an awful lot to me. Normally the organisations I deal with have a framework for security and risk governance. Instead, the agile framework of the cloud has people going through a very assuming or tick-box exercise where they simply say ‘our cloud security is good enough’.”

Pyper emphasis this point by referring to data breaches that occurred over the last 12 months. “A lot of it is down to human error when someone hasn’t changed the default password on an account.”

“If only 35% of companies are looking at the security assessments then there’s an awful lot of applications people aren’t looking at, at all, so there is so much more to be done there,” Pyper says.

Eighty-eight percent of respondents believe the new General Data Protection Regulation will require changes in cloud governance, and 37% said it would require significant changes. Seventy-five percent of companies reported it is more complex to manage privacy and data protection regulations in the cloud than on-premise, particularly France (97%) and the US (87%).

Worryingly, only 25% of IT and IT security practitioners said they were very confident they knew all the cloud services their business is using. This was especially pronounced in Australia (61%), Brazil (59%) and Britain (56%).

Perhaps to mitigate their concerns over not knowing all the "shadow IT" apps on their network, 81% of companies said having the ability to use strong authentication methods for cloud-based data and applications was essential or very important. This was strongest in Australia (92%) followed by India (85%) and Japan (84%).

In Australia, the big news is the imminent data breach amendment to privacy rules, and the research raises concerns. “I’m reluctant to say everybody is ready for that,” Pyper says. “I don’t think people have done enough to protect the information they’re putting in places where they have lesser control.”

“Companies really need to up their game from lip service to encryptable security, on-premises or in the cloud.”.

It’s very important, Pyper says, to make sure your company follows this process:

  1. classify your data and determine, based on your risk appetite, what you put where;
  2. perform a cloud security assessment;
  3. implement strong authentication;
  4. implement encryption, no matter where your data resides; and
  5. manage your own encryption key yourself, on-premises.

This latter step means you can move encrypted data from one cloud provider to another without exposing it. “You’re not giving your house keys to your next-door neighbour so they can water the plants,” Pyper says.

Some companies might say they have no time to classify, or they will do it over time but have to put their application in the cloud now. “The simple answer,” Pyper states, “is if you’re going to be using the cloud or any other third party you need to ensure you’ve encrypted your data either at source or rest. Generally, if information is lying around, that’s the point where it is vulnerable.” 


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.



Recent Comments