The Australian Information Commissioner (OAIC) hosts privacy awareness week (PAW) each year and it’s a great time to explore all aspects of privacy – not just online or cloud. For organisations, that means incorporating privacy into strategic planning, making privacy a governance priority, and taking a ‘privacy by design’ approach to integrating privacy management into all projects, products, and practices.
For the consumer it is about being more aware that your data can and will be used and it is up to you to be more aware and take steps to protect that.
Intel Security (incorporating McAfee) hosted a media briefing on the topic of Australian business attitudes to cloud adoption and sensitive data management. The punchline was that as more and more business rush to adopt the cloud (78% in the survey), more and more are storing sensitive data (78%) there without perhaps taking the proper safeguards.
Before we go too much further let’s define cloud. In a public sense, it simply means using other people’s hardware, software, and services and connecting to these via the ‘internet.' That cloud can be located in Australia (where data sovereignty is an issue) or more likely in a lower hosting cost country – Singapore, Hong Kong, India, Philippines, USA and more.
Joel Camissar, Intel Security’s Director Asia Pacific Service Provider, MSP and Cloud Business started the briefing by saying “The privacy and data security debate is now a global issue due to the ubiquitousness of the cloud. We revisited an initial Australian survey done in 2013 to see what differences three years can make and wanting to answer the question - Does Australian business still have its head in the cloud when it comes to privacy?”
The survey was conducted by Stollznow Research and covered the attitudes of more than 450 Australian senior business leaders about the adoption of cloud services and the management of sensitive data via the cloud across their organisations.
Read on for the full findings or skip to the end for an infographic.
There is widespread (and rapidly growing) use of cloud services across Australian businesses, yet a lack of focus on security across the board. 76% already use the cloud with 78% using it to hold sensitive. 46% of non-cloud users say they will use cloud services soon.
Personally Identifiable Information (PII) is the biggest type of data being stored in the cloud (70%), followed by proprietary company documentation of processes and procedures (64%), network passwords (48%) and competitive data (48%).
Businesses using cloud services omitted key criteria when it came to choosing their cloud provider.
- 52% did not carry out a risk assessment or establish a Service Level Agreement (SLA).
- 44% did not consider the location of the cloud infrastructure.
- 37% did not check if the provider met the standards set out in the Australian Privacy Act.
- 56% of businesses holding sensitive data gave a higher level of importance to the cloud provider’s security certification (for example ISO 27001
- 60% cited continuity over any other factor as the biggest consideration for using the cloud.
Businesses not already using cloud services also showed a lack of due diligence when thinking about what they would/would not factor into their selection process when looking for a cloud service provider. 52% would not look to establish an SLA, carry out a risk assessment or require security certification.
Management of Sensitive Data
More than a third of Australian businesses don’t have a policy about staff sharing information via the cloud, despite a high level of concern about this. File-sharing tools continue to be used regardless, with the majority of businesses saying they have visibility over what employees use.
- 58% have a policy when it comes to employees sharing sensitive data in the cloud, with 60% saying that they have visibility over employee sharing.
- 40% either do not have a policy, or decision makers did not know about it – despite 57% claiming to be extremely/ very concerned about staff moving information through the cloud, via USB or through other tools.
- Across Australian businesses, Dropbox is the most common file transfer platform used (47%), followed by OneDrive (41%) and Google Drive (35%)
- Fewer people had training in sensitive data management in 2016 than three years ago (54% compared to 62%).
Data Loss and Breach Concerns
Australian businesses today are most worried about the risk of damaging their reputations and less likely to be concerned about the financial penalties. Worryingly, the research revealed an increase in businesses keeping quiet about data breaches, but a rise in the number that admit breaches to affected individuals/companies.
- 77% of businesses think their own company manages PII appropriately despite 57% saying they were concerned about how staff share data via the cloud.
- 70% cited reputational damage (70%) followed by loss of customer trust (60%) in the event of a breach.
- 33% worry about the financial penalties resulting from a breach today – Federal mandatory reporting legislation is coming.
- 18% experienced data breaches (21% in 2013). Research showed that the incidence of password and login information misuse is way up (46% compared with previous 35%).
- PII loss was down slightly from 48% to 45% today.
- The Australian Government reported losing the least password/login information (11%), with those in Financial Services and Insurance the worst for this (78%).
- More businesses today tell ‘no one’ about breaches (rising from 18% in 2013 to 26% in 2016). However they have increased the incidence of telling external companies and individuals affected (up from 43% in 2013 to 50% today).
- 37% of IT decision makers knew about the proposed mandatory reporting of data breaches with those working in technology showing the highest awareness (56%). Of the 37% aware, 63% are prepared for the mandatory reporting.
It is good to see dedicated Australian statistics based on a representative sample of business from 25 to 10,000+ employees and statistically sampled to reflect Australian business size makeup.
The rush to the cloud is greater than expected but at the SME end cloud-hosted services such as Office 365, hosted email, MYOB, and more apps make this end the fastest adopters.
It was scary to see that Intel Security alone had more than 49.9 billion queries to its research centre each day, that there were 43 million attempts per hour to entice users to click on malware links, and that 71 million potentially unwanted programs launch each day! Having a network or device that uses the internet sucks!
Camissar stated that if cybercrime were a nation, it would be the world’s 24 th largest economy – about that of Sweden.
But perhaps the most telling thing is that the Aussie mantra ‘She’ll be right mate – won’t happen to me’ seems to apply to almost everything IT, cloud and security related. Sorry but Murphy was an optimist where this is concerned. It is when, not if, business is breached and suffers data loss.
It was also telling that there is no certification for cloud providers to comply with Australian Privacy Laws – just a reasonable expectation that they take adequate security measures.