Chris Harris | Associate VP, Sales Engineering
Organisations are evolving and digitally transforming, employing cloud environments and other emerging technologies in a response to the way people transact with them. Disruptive start-ups are also born into cloud-based environments. During the previous months, the massive work from home requirement and the remote access to corporate data due to the COVID-19 crisis has proved once more that the walls of the traditional perimeter have vanished. I recently presented the key findings from our 2020 Thales Data Threat Report-European Edition during the SC Digital Congress in the Cloud and Network Security stream where these topics were discussed.
Increased data risks at odds with increased sense of security
According to the 2020 Thales Data Threat Report-European Edition, 37% of European organisations say they are either aggressively disrupting the markets they participate in or embedding digital capabilities that enable greater enterprise agility. While digital transformation can provide tremendous value, it also makes data security more complex. Companies are increasingly dependent on, and increasing, the amount of data stored in the cloud. As a result, security teams need to focus on aspects beyond traditional network perimeters. The attack landscape has changed drastically and with that, security controls should evolve.
However, European organisations seem to fail applying effective security controls: 48% have been breached in the past, with 28% of the organisations reporting a data breach in the last year. Linked to that, 24% of the survey respondents have failed a compliance audit. These failures might be a breach waiting to happen.
Digitally determined organisations, making the strategic, structural, technological, and financial decisions that will set them up to digitally transform in the next years, may also have greater data threat exposure. Despite the new data security challenges, only 38% of the European organisations say they plan on increasing security budget spending. This decision comes at odds with the trust and security pillars of the EU’s Digital Single Market Strategy.
These statistics are worrying because almost half (46%) of all European organisations data is stored in the cloud and 43% of this data is sensitive. As more sensitive data is stored in cloud environments, data security risks increase. Yet, despite this significant sensitive data exposure, rates of data encryption and tokenisation are low. Although European businesses store sensitive data in the cloud and they know where this data is, this data is not protected. In fact, 100% of European respondents say at least some of their sensitive data in the cloud is not encrypted. Only 54% of sensitive data stored in cloud environments is protected by encryption and less than half (44%) is protected by tokenisation.
The lack of appropriate data protection is very critical especially as organizations operate in a multi cloud world. European companies are using multiple IaaS and PaaS environments, as well as hundreds of SaaS applications. 80% of European organisations are using more than one IaaS vendor, 81% have more than one PaaS vendor, and 29% have more than 50 SaaS applications to manage. When you move your data to the cloud, it is the organisation that is responsible for this data, and this is clear by all cloud providers.
Although encryption is the pillar of securing data in the cloud, quantum computing poses a new and increasing challenge, which has the potential to severely weaken the encryption algorithms that underpin commerce and identity today. The impact of quantum computing is on the horizon as 69% of European organisations see it affecting their cryptographic operations in the next five years.
Despite these risks, European organisations seem to have a misperception about their level of vulnerability. Sixty-eight percent of organisations felt vulnerable in 2019, down from 86% in 2018, even as security risks grow. This false sense of better protection may be due to increased security investments in preceding years or the level of security program maturity reached under continuous regulatory pressure.
What can organisations do to mitigate data risks and challenges?
The top consideration for every organisation, whether in Europe or elsewhere, is how to maintain resilience. While cyber incidents and breaches seem inevitable, being able to respond and restore operations, minimising the impact of such events is crucial. Focusing on cloud environments, it all starts with understanding the shared responsibility model – if a data breach exists it is the organisation that will pay the fine, not the provider.
Below are some recommendations that can help you mitigate the data security risks and challenges presented by cloud and digital transformation strategies:
- Do not rely on the cloud native security solutions. Instead you should invest in modern, hybrid and multi cloud-based data security tools that make the shared responsibility model work.
- Visibility is crucial. Greater emphasis on sensitive data discovery in these environments, as well as for existing environments, strengthens an organisation’s data security stance by enabling the organisation to know where sensitive data is and how to access it.
- Adopt a risk-based approach based on data classification. Automated data classification allows organisations to apply policies appropriate to the risk and value of data and helps to simplify the security architecture and procedures.
- Apply appropriate encryption and access policies to the sensitive data. This point is especially relevant today more than ever as the work from home migration has increasingly forced corporate data to be accessed remotely. As organisations increase their use of encryption to protect sensitive data, they should centralise key management to help simplify operations in otherwise complex environments. Finally, an adaptive identity and access management program will ensure that only authorised people and devices access corporate sensitive data.
For more key findings, download our 2020 Thales Data Threat Report-European Edition.