Cloud data security left to chance
Less than half of large organisations ensure cloud data is encrypted, says PwC survey
Tech4Biz | 20 Apr 2012 :
Despite the ubiquity of cloud service usage, only 38% of large organisations ensure that data held by external providers is encrypted, while some 56% of small businesses do not check the security provisions of external service providers.
These are some of the findings of a survey carried out by PwC and Infosecurity Europe. The preliminary findings of the 2012 Information Security Breaches Survey (ISBS) showed that around a quarter of large organisations and one-fifth of small ones have sensitive confidential data hosted on the Internet, with web site, e-mail and payment service provision the most commonly used cloud services. Half of financial services, telecommunications and utilities organisations critically depend on them.
"The Internet continues to facilitate more sophisticated business relationships," said Chris Potter, information security partner, PwC. "Businesses are putting their faith in third parties to take care of their data but many are taking a laissez faire attitude to the security element. Not only are they often completely leaving the security controls to third parties, they are not actually checking what controls those third parties have in place.
"Small businesses may think that because their data is being hosted by a large cloud provider that good security controls will be in place, but this isn't necessarily the case. Companies should always check what security controls their providers are operating."
Many small businesses rely only on a contingency plan to move the outsourced service if there are issues. Yet, a third of contingency plans to deal with systems failure and data corruption prove ineffective, according to the survey. The survey shows a strong correlation between the effectiveness of contingency plans and the seriousness of breaches. When contingency plans do work, less than half the incidents were serious; when the plans failed, four-fifths were serious.
The biggest blind spot in contingency planning, says the survey, is the infringement of laws and regulations, where less than a fifth (18%) of affected organisations had a contingency plan. Further to this, 45% of large organisations breached data protection laws in the last year and this happened at least once a day at one in ten of them. After the most serious breaches, organisations improved their processes and technology and also trained their people. This reinforces the evidence that the worst security breaches are due to multiple failures in a combination of people, process and technology.
"Too many contingency plans are currently ineffective. Organisations should be frequently stress-testing their plans, especially because the survey shows a direct correlation between contingency planning and the severity of breaches. Rather than relying on contingency plans, organisations would be in a much more powerful position if they secure their data in the first place," said Potter