The Covid-19 pandemic has introduced a huge amount of disruption into the lives of IT professionals as they strive to rapidly adapt to changes in working at the same time as trying to ensure these new processes are secure.  The third-annual Cloud Threat Report from tech giant Oracle and consulting firm KPMG reminds us that even in these disruptive times, some issues remain perennially vexing.

“Today’s businesses are embarking on sweeping digital transformation initiatives to fundamentally retool business models through the strategic use of digital technologies such as cloud services, mobile applications, and data analytics,” the report says.  “The broad adoption of cloud applications is helping support a surge in remote workers while also creating new opportunities for cyber-criminals to conduct cyber fraud.”

The study saw 750 senior IT and cybersecurity professionals from around the world quizzed to understand their concerns and priorities for the year ahead.  The data reveals a somewhat patchwork approach to data security, riddled with misconfigured services and a general sense of confusion around the security models involved in new cloud services.  Collectively, this has resulted in a crisis of confidence in the profession that the respondents believe will only be resolved when organizations make security a central part of how they do business.

Data security is a major worry

The scale of the challenge facing the sector was underlined by the fact that, for many IT professionals, they’re roughly three times more concerned about the security of their company’s financial and intellectual property data than they are for the security of their own home.

There is confidence that the new suite of tools are helping, however, with 75% of respondents saying that public cloud servers were more secure than their own data centers, although there was widespread concern about the state of progress in migrating to the cloud, with nearly all respondents doubting the readiness of their organization.

Various high profile data breaches at other firms have, at least, focused the attention of executives regarding the importance of security, with around 80% of respondents saying these breaches have helped to make the case for stronger cybersecurity measures.

A patchwork of tools

A lack of coordination within organizations had also created problems, with respondents reporting a patchwork of cybersecurity products being used to defend organizational data and systems.  These tools are seldom configured correctly, and getting them to work effectively together is an ongoing challenge.

Indeed, over 75% of respondents said that their organization was using over 50 cybersecurity products, with 37% of organizations having over 100 in operation.  This presents clear challenges with regards to maintaining defenses, with the misconfiguration of cloud services strongly linked to an increase in data loss incidents.  These misconfigurations cover a huge range of topics, but the most common were over-privileged accounts and a lack of multi-factor authentication to key services.

“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks. Positive progress is being made, though,” said Steve Daheb, Senior Vice President, Oracle Cloud. “Adopting tools that leverage intelligent automation to help close the skills gap is on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”

Who is in charge?

The confusion caused by the huge array of security products in use has created notable blind spots as cloud service providers and in-house IT teams struggle to coordinate activities and assume mutual responsibility for security.  It’s led to considerable confusion, with just 8% of security staff saying they fully get how the shared responsibility model is working in their organization.

What’s more, the number of tools required to ensure security is maintained is also causing consternation, with around 70% of respondents saying they thought that too many tools were required to secure their cloud infrastructure.  This has led to the majority of respondents saying their organization had experienced data losses from their cloud service on multiple occasions. 

The authors suggest that the only way for this challenge to be resolved is for security to sit at the heart of everything organizations do.  This doesn’t just include core processes, but recruitment and training of the right talent needed to stay secure.  For instance, the majority of security staff regard AI as crucial in maintaining cybersecurity, but worry that a lack of skills within the organization could be holding them back.

“In response to the current challenging environment, companies have accelerated the movement of workloads, and associated sensitive data, to the cloud to support a new way of working, and to help optimize cost models. This is exposing existing vulnerabilities and creating new risks,” said Tony Buffomante, Global Co-Leader and U.S. Leader of KPMG LLP’s Cyber Security Services. “To be able to manage that increased threat level in this new reality, it is essential that CISOs build security into the design of cloud migration and implementation strategies, staying in regular communication with the business.”