New study: patchwork approach to cyber security making life difficult for organizations
- Published: Friday, 15 May 2020 11:32
The third-annual Oracle and KPMG Cloud Threat Report 2020 has found that a patchwork approach to data security, misconfigured services, and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business.
The study of 750 cyber security and IT professionals across the globe found that:
- IT professionals are 3X more concerned about the security of company financials and intellectual property than their home security.
- IT professionals have concerns about cloud service providers; 80 percent are concerned that cloud service providers they do business with will become competitors in their core markets.
- 75 percent of IT professionals view the public cloud as more secure than their own data centers / centres, yet 92 percent of IT professionals do not trust their organization is well prepared to secure public cloud services.
- Nearly 80 percent of IT professionals say that recent data breaches experienced by other businesses have increased their organization’s focus on securing data moving forward.
IT professionals are using a patchwork of different cyber security products to try and address data security concerns, but face an uphill battle as these systems are seldom configured correctly:
- 78 percent of organizations use more than 50 discrete cyber security products to address security issues; 37 percent use more than 100 cyber security products.
- Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
- 59 percent of organizations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
The most common types of misconfigurations are:
- Over-privileged accounts (37 percent)
- Exposed web servers and other types of server workloads (35 percent)
- Lack of multi-factor authentication for access to key services (33 percent).
Organizations are moving more business-critical workloads to the cloud than ever before, but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. This confusion has left IT security teams scrambling to address a growing threat landscape:
- Nearly 90 percent of companies are using software-as-a-service (SaaS) and 76 percent are using infrastructure-as-a-service today (IaaS); 50 percent expect to move all their data to the cloud in the next two years.
- Shared responsibility security models are causing confusion; only 8 percent of IT security executives state that they fully understand the shared responsibility security model.
- 70 percent of IT professionals think too many specialised tools are required to secure their public cloud footprint.
- 75 percent of IT professionals have experienced data loss from a cloud service more than once.
The survey report says that to address increasing data security concerns and trust issues, cloud service providers and IT teams need to work together to build a security-first culture. This includes hiring, training, and retaining skilled IT security professionals, and constantly improving processes and technologies to mitigate threats in an increasingly expanding digital world:
- 69 percent of organizations report that their CISO reactively responds and gets involved in public cloud projects only after a cyber security incident has occurred.
- 73 percent of organizations have or plan to hire a CISO with more cloud security skills; over half of organizations (53 percent) have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business.
- 88 percent of IT professionals feel that within the next three years, the majority of their cloud will use intelligent and automated patching and updating to improve security.
- 87 percent of IT professionals see AI/ML capabilities as a ‘must-have’ for new security purchases in order to better protect against things like fraud, malware and misconfigurations.
More details (PDF).