Despite limited visibility, businesses trust cloud services over email and mobiles

Companies “mask” the cybersecurity complexity that cloud introduces – and tools aren’t helping as much as they’re supposed to

Security practitioners now trust public cloud storage services with sensitive business data more than they trust email, social media, mobile devices and laptops, according to a survey of security practitioners that also suggested big-data analytics aren’t improving security as much as many would like to believe.

Forcepoint’s The Human Point research, based on a survey of 1252 cybersecurity professionals, found that while corporate data was being broadly distributed across different storage media – 49 percent on private clouds, 28 percent on Bring Your Own Device (BYOD) equipment, 25 percent on removable media, and 21 percent on public cloud services – commingling of business and personal data was impacting visibility of that information.

While 44 percent of Australian respondents rated email as the biggest risk to their critical business data, just 8 percent said the same about cloud storage facilities – suggesting that businesses are comfortable with use of cloud services. This, even though fully 58 percent said they have low to moderate visibility into employees’ use of data across devices and services, with 46 percent saying they are extremely or very concerned about the lack of visibility across devices.

That’s hardly news for Daryush Ashjari, APAC vice president with Intel Security, who has seen security challenges emerging even as businesses come to grips with the need to get better visibility tools implemented. “Cloud is fantastic for its ROI, agility, speed, and value,” he told CSO Australia, “however I think we mask the cybersecurity challenges that this infrastructure inherits.”

Intel Security recently released its own report into cloud security, which also found more of the over 2000 surveyed IT professionals say they trust public clouds (40 percent) than the number that mistrust them (30 percent). Fully 75 percent of Australian respondents said they were storing customers’ personal data in public cloud environments – well ahead of the 62 percent globally who were doing the same. Yet only 53 percent said they had visibility of what was happening with that data.

“Technology has come to the right level to create the visibility that organisations need,” said Ashjari, “and we couldn’t do this years ago. But it’s up to organisations to leverage them. When it comes to embracing cloud-based services and applications, having control and visibility is not an option anymore.”

Cloud-security firm LightCyber recently estimated that 155 million workloads will be moved to public-cloud data centres, where they would face a range of risks including data breaches, manipulation of data stored in the cloud, exploitation for launching DDoS attacks on other sites, attacks using cloud servers as the entry point for other networks, attacks affecting the availability of infrastructure as a service (IaaS) platforms, and more.

“Today most organisations lack the ability to detect an active attacker at work on the on-premises or private cloud network,” the firm’s experts advised. “Targeted attackers can gain access to the network and then work for months without fear of being discovered.”

All these threats had to be remediated against when embracing the cloud – yet the Forcepoint data suggested that businesses are still struggling to figure out how to do this effectively.

For example, while 27 percent of the respondents said they are using big data techniques to analyse security data, only 18 percent said big data was actually making security easier for them. This represents a challenge for companies like Unisys, which recently launched a machine-learning-as-a-service offering and IBM, which has been expanding the use of its Watson machine-learning tool into the security arena.

Whether because of their capabilities or a lack of understanding about how to use them, other types of security tools are also falling short of expectations: just 32 percent of respondents said that cybersecurity tools are very or extremely effective at recognising anomalous activity on the network. And 36 percent said they are very or extremely satisfied with the benefits they’ve seen from deploying cybersecurity tools.

Those ratings leave a lot of room for improvement, particularly as theft of unstructured data raises the spectre of mass exfiltration of intellectual property – particularly from poorly prepared businesses in particularly vulnerable industry sectors. A recent Security Colony evaluation suggested that Australian healthcare, energy, material and industrial firms were the least mature on cybersecurity while IBM’s recent X-Force Threat Intelligence Index 2017 identified unprecedented volumes of data theft as resourceful cybercriminals continued to evolve their attacks, particularly against sectors like healthcare and financial services.