96% of companies report insufficient security for sensitive cloud data

The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).

The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations.

"Only four pert cent report sufficient security for 100 per cent of their data in the cloud. This means that 96 per cent of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.

Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45 per cent aren’t tracking unclassified data, the report said.

“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs," the CSA study noted. "However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it."

Dark data comprises the information assets organisations collect, process and store during regular business activities, but generally fail to use for other purposes, according to market research firm Gartner.

About 79 per cent of organisations have moderate to high levels of concern around the proliferation of dark data in their organisation but are unsure about how to approach the issue.

Dark data causes security gaps

“Without getting a handle on the issue of dark data, organisations can’t properly understand their data risk posture or assess their attack surface. This can only lead to vulnerabilities and security gaps,” the report said.

Organisations also need to define a unified approach to tackling dark data to avoid competing priorities in siloed departments. “Establishing a single source such as a data inventory can provide disparate departments with the base knowledge they need to work more cohesively,” the report noted.

When it comes to software-as-a-service (SaaS) platforms, 76 per cent of organisations rated tracking data as moderately to highly difficult. “The difficulty of data tracking is particularly concerning when considering the amount of sensitive data that organisations have in SaaS platforms,” the report said.

"Forty per cent of organisations indicate that 50 per cent or less of their sensitive data in the cloud has sufficient security," according to the report.

Most companies expect a data breach in next 12 months

About 62 per cent of organisations reported they are somewhat highly likely to experience a cloud data breach in the next year.

Organisations that have experienced a breach believe a data breach is more likely to happen in the future, with only eight per cent reporting a data breach in the next 12 months to be very unlikely.

For organisations that hadn’t experienced a breach in the past 12 months, 22 per cent indicated that a breach in the next 12 months is very unlikely, according to the report.

Most organisations use four to five components for their data protection strategy. Data back-up and recovery, auditing and assessing data protection processes, adhering to standards and regulatory compliance, and establishing policies and procedures were some of the most common components that over a third of survey respondents were using.

However, use of components such as triaging alerts, zero trust, and data sovereignty were each used by less than 20 per cent of organisations participating in the survey, indicating that most organisations are yet to fully integrate zero trust in their data protection strategies.

Third parties and suppliers have access to sensitive data

In light of recent supply chain attacks, organisations should secure their sensitive data from their third party contractors and partners. However, organisations appear to give nearly identical levels of access to sensitive data in their organisation to employees, contractors, partners, and suppliers, the report said.

Two out of three data breaches are the result of vulnerabilities from suppliers and third parties, according to a study by Colorado State University. Considering the enormity of these implications, organisations need to understand who has access to their sensitive data and lock down access, in particular to third parties, according to the CSA report.