According to the third annual Oracle and KPMG Cloud Threat Report 2020 report, data security is creating “fear and trust issues” for IT professionals.
The study of 750 cybersecurity and IT professionals found:
- IT professionals are 3 times more concerned about the security of company financials and intellectual property than their home security.
- IT professionals have concerns about cloud service providers; 80% are concerned that cloud service providers they do business with will become competitors in their core markets.
- 75% of IT professionals view the public cloud as more secure than their own data centres, yet 92%of IT professionals do not trust their organisation is well prepared to secure public cloud services.
- Nearly 80% of IT professionals say that recent data breaches experienced by other businesses have increased their organisation’s focus on securing data moving forward.
And the study reveals that Australia shows an even greater appetite than the global average for leveraging artificial intelligence, machine learning (AI/ML) capabilities, which 100% of IT professionals see as a “must-have” for new security purchases, compared to 87% globally.
Findings revealed that:
- In Australia 68% of IT professionals view the public cloud as more secure than their own data centres – a lower than the global average of 75%, perhaps because 95% of IT professionals also say that they do not trust their organization is well prepared to secure public cloud services.
- Australia has a higher opinion compared to the 70% global average that too many specialised tools are required to secure their public cloud footprint, with 75% being of this opinions
- In Australia, more organisations than the global average shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack – 70% as compared to 59% globally.
- In Australia, a marked difference is that fewer than the global average (73%) of organisations have or plan to hire a CISO with more cloud security skills (63 percent). Similarly fewer organisations have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business (45% as compared to 53% globally).
And according to the study IT professionals are using a patchwork of different cybersecurity products to try and address data security concerns, but face an “uphill battle as these systems are seldom configured correctly”, with findings revealing:
- 78% of organisations use more than 50 discrete cybersecurity products to address security issues; 37 % use more than 100 cybersecurity products.
- Organisations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
- 59% of organisations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
- The most common types of misconfigurations are:
- Over-privileged accounts (37%)
- Exposed web servers and other types of server workloads (35%)
- Lack of multi-factor authentication for access to key services (33%)
According to Oracle and KPMG,organisations are moving more business-critical workloads to the cloud than ever before, “but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data”.
They say this confusion has left IT security teams scrambling to address a growing threat landscape:
- Nearly 90% of companies are using software-as-a-service (SaaS) and 76% are using infrastructure-as-a-service today (IaaS); 50% expect to move all their data to the cloud in the next two years.
- Shared responsibility security models are causing confusion; only 8% of IT security executives state that they fully understand the shared responsibility security model.
- 70% of IT professionals think too many specialised tools are required to secure their public cloud footprint.
- 75% of IT professionals have experienced data loss from a cloud service more than once.
Oracle and KPMG say that to address increasing data security concerns and trust issues, cloud service providers and IT teams need to work together to build a security-first culture, including hiring, training, and retaining skilled IT security professionals, and constantly improving processes and technologies to help mitigate threats in an increasingly expanding digital world.
The study found that:
- 69% of organisations report their CISO reactively responds and gets involved in public cloud projects only after a cybersecurity incident has occurred.
- 73% of organisations have or plan to hire a CISO with more cloud security skills; over half of organizations (53%) have added a brand new role called the Business Information Security Officer (BISO) to collabor ate with the CISO and help integrate security culture into the business.
- 88% of IT professionals feel that within the next three years, the majority of their cloud will use intelligent and automated patching and updating to improve security.
- 87% of IT professionals see AI/ML capabilities as a “must-have” for new security purchases in order to better protect against things like fraud, malware and misconfigurations.
“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks. Positive progress is being made, though,” said Steve Daheb, Senior Vice President, Oracle Cloud.
“Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”