Most Businesses Don't Inspect Cloud Services For Malware
As cloud services usage, and risk, increases, businesses still lack visibility into data breaches.
October 19, 2016
PRESS RELEASE
LOS ALTOS, Calif. – Oct. 12, 2016 – Netskope, the leader in cloud security, today announced the results of a survey entitled “Cloud Malware and Data Breaches: 2016 Study,” conducted in partnership with Ponemon Institute. The study found the growing use of cloud services and the lack of visibility into sensitive information in the cloud can result in more damaging or costly data breaches.
The survey found that the majority of enterprises have not or do not know if they inspect their cloud services for malware. Considering that Netskope research estimates that less than five percent of cloud services are sanctioned, it is unlikely respondents are inspecting all potential services (sanctioned and unsanctioned), raising the possibility that the portion of cloud services that contains malware is even larger.
The findings also reveal that while 49 percent of business applications are now stored in the cloud, fewer than half of them are known, officially sanctioned or approved by IT. While respondents understand the risk of data breaches, nearly a quarter could not determine if they had been breached, and nearly a third couldn’t determine what types of data were lost in the breach(es).
"These data confirm that while cloud adoption is very much on the rise, organizations still lack confidence in the cloud’s ability to protect sensitive information,” said Sanjay Beri, founder and CEO, Netskope. “With the rise of cloud threats like accidental data exposure, malware and ransomware aimed at exfiltrating data and extracting financial gain from sensitive data, IT teams need more robust intelligence, protection, and remediation to protect their data from breach or loss."
Companies Lack Insight into Breaches, Malware Infections a Growing Threat
Over half of respondents say the use of cloud services significantly increases the likelihood of a data breach, yet the majority have neither the visibility nor have they taken the correct precautions to prevent breaches involving cloud.
Nearly 20 percent cannot determine if they experienced a breach or not, indicating a significant lack of insight into security policies and data currently stored in the cloud.
For companies that did experience a data breach in the last year (31 percent), 48 percent say it was the user who exposed data intentionally or accidentally from a cloud service. However, a quarter don’t have any idea how the breach occurred, and 30 percent could not determine what data were lost or stolen.
Malware is a significant source of data breaches as well: 39 percent of respondents experienced a malware attack in the last year, but almost half (48 percent) do not inspect the cloud for malware, and 12 percent are unsure if they do.
Of those organizations that do inspect the cloud for malware, 57 percent of respondents say they found malware in the cloud. Given the high percentage that don’t even monitor, more than one-third (34 percent) likely have malware but don’t know it.
A Look at the Fragile Cloud Environment
Cloud adoption is on the rise. A recent forecast from 451 Research predicts that three in five (60 percent) of enterprise workloads will run in the cloud by mid-2018, up from two in five (41 percent) today. This report found that as more software and business applications move to the cloud, knowledge about what applications are in the cloud decreases, putting confidential and sensitive information at risk.
The estimated percentage of software applications in the cloud has increased from 45 percent in 2014 to 49 percent in 2016. Apps that are known, officially sanctioned or approved by IT decreased from an estimated 50 percent to 45 percent, indicating cloud adoption may be outpacing security measures.
Three-quarters of businesses store at least some sensitive or confidential business data in the cloud, and respondents estimate 26 percent of sensitive or confidential information is not visible to IT.
When asked about security worries, respondents’ top concern over cloud security risks is loss of control over the security of data and end-user actions (49 percent), followed by loss or theft of intellectual property (IP) (47 percent), and compliance violations (39 percent).
Money Talks: The Economic Impact of Data Breaches
Companies were asked to estimate the cost of data breaches involving the loss of 100,000 or more customer records within the last 12 months. They calculated a customer information breach would have cost them almost $20 million in the past year, taking into consideration the cost of remediation and technical support, lost business opportunities, and lost productivity because of downtime.
The largest cost (40 percent) is damage to reputation and brand, with companies estimating a spend of $7.68 million.
Cleanup and remediation spend was approximately $3.85 million, while damage or theft of IT assets and infrastructure accounted for just under a million dollars per year.
For a data breach associated with IP vs. customer records, damage to reputation and brand value again represents the largest estimated data breach cost component, at $5.66 million, nearly half (44 percent) of the total estimated cost of $12.80 million. More than half (54 percent) believe there is more than a 10 percent chance of an IP-related data breach happening in the next year.
More Cloud, More Problems: The Cloud Multiplier Effect
Respondents were asked to estimate the likelihood of a data breach when considering a number of IT scenarios involving an increased use of the cloud. The growing use of cloud services (SaaS) and the increase in backup and storage of confidential data in the cloud is most likely to cause a data breach in the cloud:
Almost 90 percent believe an increase of cloud services usage of 50 percent within the next year will increase the probability of a data breach. The same percentage agree a 50 percent increase in backup and storage of sensitive information in the cloud would also increase the probability of a data breach.
Early cloud adopters are still skeptical: Only a third believe their cloud service providers enable security technologies to protect and secure sensitive or confidential information, and only 37 percent believe cloud apps are in full compliance with privacy and data protection regulation and law.
Methodology
Netskope and Ponemon Institute surveyed 643 IT and IT security practitioners in the United States and Canada who are familiar with their company’s usage of cloud services. This study was also conducted in 2014. For the full methodology, please see the study.
About Ponemon Institute
Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards.
About Netskope
Netskope is the leader in cloud security. Using patented technology, Netskope’s cloud-scale security platform provides context-aware governance of all cloud usage in the enterprise in real-time, whether accessed from the corporate network, remote, or from a mobile device. This means that security professionals can understand risky activities, protect sensitive data, stop online threats, and respond to incidents in a way that fits how people work today. With granular security policies, the most advanced cloud DLP, and unmatched breadth of workflows, Netskope is trusted by the largest companies in the world. Netskope — cloud with confidence. To learn more, visit our website.
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024