Australian companies are shovelling data into the cloud – but not necessarily protecting it

Organisations are more committed than ever to protecting and controlling the sensitive information they put into cloud environments, according to new figures that suggest many organisations still think cloud security is someone else’s problem – and haven’t figured out how to make good on that commitment.

Marking a significant increase in the use of cloud application platforms to store their corporate data, fully 49 percent of corporate data was being stored in public cloud platforms, according to Australian respondents to Ponemon Institute’s 2019 Thales Cloud Security Study.

That was up more than a third compared with the 35 percent of corporate data stored globally in the cloud three years ago.

Some 75 percent of Australian respondents were storing customer information in the cloud – well ahead of the global average of 60 percent – while 55 percent were storing emails and 42 percent, consumer data.

Australian organisations were the most likely to be storing health information in the cloud, with 19 percent of respondents reporting doing so compared with 14 percent globally.

They were also well ahead of global peers in storing employee records in the cloud – 49 percent of Australian companies said they were doing so, compared with 37 percent globally – likely reflecting strong takeup of cloud-based human resources applications.

This represents a broad range of personally identifiable information (PII), which is carefully protected under privacy laws in Australia and elsewhere. Yet just 27 percent of Australian organisations believed that the EU’s general data protection regulation (GDPR) would require significant changes in their cloud governance – reflecting ongoing confusion on the part of Australian companies.

“This study shows that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security,” said Graeme Pyper, ANZ regional director for cloud protection and licensing activity with Thales.

One of the major benefits of using cloud platforms is to be able to more easily share data with third parties – yet just 47 percent of the surveyed organisations said they were careful about doing so.

Just 58 percent of respondents said they evaluate cloud providers’ security capabilities before deploying their systems within the organisation. The remainder said such evaluations were not deployed because there aren’t enough resources to conduct the evaluation (63 percent), they aren’t able to control end users (59 percent), nobody is in charge (42 percent), and such audits were not considered to be a priority (39 percent).

“Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process,” Pyper said.

“It doesn’t matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organisation’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”

While 72 percent of respondents said they were committed to protecting the data they had stored in the cloud, just 50 percent said they had defined roles and accountability mechanisms to do so.

Fully 49 percent of organisations said they are encrypting sensitive data in the cloud – yet while 78 percent of businesses said it’s important to retain ownership of the keys to that encryption, just 53 percent actually controlling the encryption keys for their cloud data.

These low numbers are striking given that Australian organisations were among the most confident in their ability to extend privacy and data protection regulations to their cloud platforms.

Just 61 percent of Australian businesses said that managing privacy in cloud environments was more complex than doing so on on-premises networks – well behind Germany (70 percent), the United States (79 percent), Japan (81 percent), and France (98 percent).

This suggests great confidence in the ability to transfer existing security practices into the cloud without modification – but that can be a real risk if it’s not managed correctly, or if the organisation lacks mechanisms to inventory and track its sensitive data across operational contexts.

“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“Not knowing this information makes it essentially impossible to protect the most sensitive data – ultimately leaving these organisations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”