Buy-side paranoia as data breach costs triple in the cloud

Stuart Lauchlan Profile picture for user slauchlan June 22, 2014
Summary:
Research from the Ponemon Institute which suggests that the use of cloud technologies can triple a company’s chances of being exposed to a data breach. No wonder the buy side is near paranoid about cloud security.

paranoia-792
It’s getting to be quite the year for data breaches. AT&T has just become the latest to own up to an incident, with the personal information of AT&T Mobility customers stolen, reportedly by the employees of one of AT&T’s vendors.

In a letter to affected customers, AT&T stated, “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your accounts without authorization. AT&T believes the employees accessed your account as part of an effort to request codes … to unlock AT&T mobile phones in the secondary mobile phone market.”

That follows the notorious eBay breach that may have affected more than 100 million users and which is now the subject of an investigation by the Federal Trade Commission.

Meanwhile Target’s loss of data from 40 million credit and debit card accounts cost the CEO and CIO of Target their jobs.

In light of such stories, it’s perhaps inevitable that security concerns remain the number one inhibitor to adoption of cloud computing, albeit with the Snowden online snooping revelations adding a new element to the standard worries.

The situation isn’t likely to get any better following the release of research from the Ponemon Institute which suggests that the use of cloud technologies can triple a company’s chances of being exposed to a data breach.

For the study Data Breach: The Cloud Multiplier Effect, Ponemon - commissioned by security firm Netskope - surveyed 613 IT and security professionals who were largely pessimistic in their view that using cloud services increased the risk to their data.

Respondents estimated that a 1% increase in the use of cloud services results in a 3% higher probability of a data breach.

Screen Shot 2014-06-23 at 10.48.10
Source: Ponemon Insitute

Ponemon calculates that a breach involving 100,000 or more records of stolen personal data could increase from an average of $2.4 million to anywhere between $4 million and $7.3 million.

Screen Shot 2014-06-23 at 10.48.24
Source: Ponemon Institute

Asked to rank the most likely causes of increased data breach exposure, respondents cited:

  • The number of network-connected mobile devices with access to cloud services increases by 50% over a 12-month period. 
  • The use of cloud services increases by 50% over a 12-month period.
  • The use of cloud infrastructure services increases by 50% over a 12-month period.
  • The backup and storage of sensitive and/or confidential information in the cloud increases by 50% over a 12-month period.
  • The number of employee-owned mobile devices with access to cloud services increases by 50% over a 12-month period.
  • The number of employees that use their own cloud apps in the workplace for sharing sensitive or confidential data increases by 50 % over a 12-month period. 
  • One of an organization’s primary cloud services provider moves their data center operations to an off-shore location. 
  • One of the organization’s primary cloud services provider expanded operations too quickly and is now experiencing financial difficulties.
  • One of the organization’s primary cloud providers fails a compliance audit.

Who's to blame?

There is a degree of self-blame taken on board with 69% of respondents admitting that their organizations are not proactive in assessing information that is too sensitive to be stored in the cloud.

But there’s also a lot of distrust of cloud services providers. Some 72% of respondents don’t believe that their cloud services providers would notify them if they had data breaches involving the loss or theft of their intellectual property or business while 71% believe they would not receive immediate notifications following breaches involving the loss or theft of customer data.

Fuelling this paranoia is the perception by 62% of respondents that the cloud services and providers that their companies are using are not thoroughly vetted for security before deployment.

Some 69% of respondents do not agree that their organization’s cloud service providers are using enabling security technologies to protect and secure sensitive and confidential information, while 64% percent say they don’t believe that their cloud service providers are in full compliance with privacy and data protection regulations and laws.

Larry Ponemon, chairman and founder of Ponemon Institute, comments:

We’ve been tracking the cost of a data breach for years but have never had the opportunity to look at the potential risks and economic impact that might come from cloud in particular. It’s fascinating that the perceived risk and economic impact is so high when it comes to cloud app usage. We’ll be interested to see how these perceptions change over time.

My take

What a depressing study and sorry state of affairs.

The level of paranoia on the buy side seems matched only by near institutional pessimism and defeatism.

But with the likes of the Target and eBays debacles hanging heavy, maybe that’s not so surprising.

It falls to the sell side to evangelise and educate - as well as to ensure that their own security and compliance houses are in order.

 

 

Loading
A grey colored placeholder image