The threat to data security is frightening and distrusting for IT professionals, according to a report by Oracle and KPMG on cloud security threats in 2020 for the first third of the year (Oracle and KPMG Cloud Threat Report 2020). A survey of 750 cybersecurity and IT professionals around the world showed that using the patchwork approach to solve data security problems, misconfigured services and confusion with new cloud security models created a confidence crisis. And only those companies in which security has become part of the business culture can overcome it.
Experts consider AI and machine learning mandatory for information security
The study found that IT professionals are more concerned about the security of their company’s data than at home. IT professionals are three times more concerned with the security of financial data and intellectual property of a company than the security of their own housing.
IT professionals are concerned about cloud service providers, 80% of professionals believe that the cloud service providers with whom they do business will become their competitors in their key markets.
75% of IT professionals believe that the public cloud is better protected than their own data centres, but 92% of IT professionals do not believe that their organizations are fully prepared to use secure public cloud services. About 80% of IT professionals claim that recent data leaks that other organizations have encountered have forced them to strengthen data protection during business development.
IT professionals are trying to eliminate data protection problems with the help of “patching holes” with various cybersecurity solutions, but they face an almost impossible task, since these systems are rarely configured correctly.
78% of organizations use more than 50 different solutions to ensure cybersecurity, 37% of companies use more than 100 such solutions. Organizations that have misconfigured cloud services have identified 10 or more data loss incidents last year.
59% of organizations said they encountered a targeted phishing attack on the credentials of employees with privileged cloud accounts. The most common types of misconfiguration: accounts with excessive privileges (37%); unprotected web servers and other types of server loads (35%); lack of multifactor authentication when accessing basic services (33%).
As never before, organizations are transferring more and more critical business loads to the cloud. And the growing consumption of cloud services creates new “blind spots” in security, as IT departments and cloud service providers are working to understand where their individual responsibility for data security is. This confusion leads to the fact that information security departments are struggling to cope with the growing threat landscape.
Almost 90% of companies already use Software as a Service (SaaS), 76% use Infrastructure as a Service (IaaS), 50% of organizations intend to transfer all data to the cloud over the next two years.
Models of shared responsibility for safety create confusion. Only 8% of the heads of information security services said they fully understood the model of shared responsibility for security.
70% of IT professionals believe that too many special tools are required to protect the entire environment in the public cloud. 75% of IT professionals have repeatedly lost data when using a cloud service.
To solve security problems and overcome mistrust, cloud service providers and IT departments must work together to build a Security-First culture. Such a model involves the hiring, training and retention of qualified information security professionals, as well as the continuous improvement of processes and technologies that help eliminate threats in an ever-expanding digital world.
69% of organizations report that directors for information security (CISO) respond to information security problems after the fact and take part in public cloud projects only after a serious incident.
73% of organizations have IT, security directors, with experience working in the cloud or plan to hire such a specialist. More than half of the companies (53%) created a new position as Head of Business Information Security Officer (BISO), which works in collaboration with the Director of Information Security (CISO) and helps to integrate a security culture in the organization.
88% of IT professionals believe that over the next three years, most clouds will use intelligent and automatic patches and updates to enhance security.
87% of IT professionals believe that a prerequisite for the acquisition of new security features will be the availability of artificial intelligence (AI) and machine learning (MO) capabilities. They will provide better protection against threats such as fraud, malware and configuration errors.
“Over the past two years, the transfer of important information to the cloud has shown its promise. However, the use of heterogeneous tools and security processes constantly led to costly configuration errors and data leaks. However, there is some progress here, said Steve Daheb, senior vice president of Oracle Cloud. – Intelligent tools with autonomous capabilities help overcome the lack of qualifications. The costs of these tools are already included in the roadmap of budget expenditures for the near future, and senior executives consistently adhere to the principle of “safety first”, unifying different lines of business. “
“The business is in difficult conditions. To cope with problems, it accelerates the transfer of workloads and important data to the cloud to support a new way of working and optimize the cost model. This exposes existing vulnerabilities and creates new risks, ”said Tony Buffante, global co-director and leader of cybersecurity services at KPMG LLP in the United States. “To cope with the growing level of threats in the new environment, directors of information security (CISO) must integrate security into migration strategies in the cloud and maintain regular interaction with the business on security issues.”
The data presented in the report was collected through an online survey of 750 cybersecurity and IT professionals from organizations and companies of the private and public sectors in North America (USA and Canada), Western Europe (Great Britain and France) and the Asia-Pacific region (Australia, Japan and Singapore) from December 16, 2019, to January 16, 2020. Only those respondents who were responsible for evaluating, acquiring, and managing cybersecurity technology products and services were selected to participate in the survey, and at the same time, they’re a good sign we are using a public cloud in their companies.