As cloud adoption continues to rise, organizations must protect themselves from the threats that come with it. Research from CloudLock breaks it down by industry.
Information security solutions are a not a one-size-fits all approach--you've got to take the industry itself into account when developing a plan.
This is especially true when it comes to the security risks and threats posed by enterprise cloud deployments. As such, the Q4 cloud cyber security report from CloudLock breaks down some of the pertinent cloud threats across eight distinct industries, and what can be done to counteract them.
First, let's take a look at the trends that occurred across the board. All of the industries represented--retail, higher education, K-12 education, government, technology, financial services, manufacturing, and healthcare--shared the following concerns:
- Account compromise
- Cloud malware
- Excessive data exposure
- Over-exposed personally identifiable information (PII) and payment card information (PCI) Data
Perhaps one of the simplest things an organization can do to protect its users in the cloud is invest in properly protecting their credentials, namely their account passwords. However, only 5% of organizations surveyed were taking active steps to protect credentials.
Exposure risk was also high among the industries studied. On average, 1% of users represent 71% of organization-wide exposures and 74% of public exposures.
Drilling down, however, the issues begin to diverge. Let's start by taking a look at retail.
Not only is retail highly distributed, but it is also heavily regulated and brings a high employee turnover rate. Additionally, knowledge workers are well outnumbered by storefront staff, meaning less than one third of employees can create content in the cloud and 1% of employees own 69% of the organizational data.
Retail organizations deal with a lot of personal data and tend to process a ton of credit card transactions. Excessive sharing took the top spot of retail concerns with 66%, followed closely by PCI at 55%. The study recommends focusing on taking inventory of important data, identifying potential offenders, and investing in employee education.
Content ownership is slightly less concentrated in manufacturing, but only by a little. In this industry, 1% of employees own 65% of data, but 72% are creating content.
Maintaining trade secrets can make or break a manufacturing organization. So, it makes sense that excessive sharing and IP top the concerns list with 70% and 47% respectively. After determining the top concerns, the CloudLock report recommended training users and revisiting the security strategy as needed to adjust for new threats.
With the growing adoption of tablets and thin-client devices like Chromebooks, it's no wonder that cloud is a growing concern among K-12 school systems. The potential legal ramifications are huge, and dealing with a younger user base complicates the situation even further.
Of the top four concerns, objectionable content stands out as relatively unique in this industry. Issues like cyber-bullying and bad language are major problems and, as such, 74% of K-12 institutions are keeping a lookout for signs of objectionable content. Additionally, despite the increased threat due to the young user base, only 1% of these institutions had a targeted focus on password protection. Much like manufacturing, education should work on educating users and re-evaluating its strategy as the landscape changes.
Protecting student information and content is a top priority for higher education when it comes to the cloud. PII is the top concern at 77%, with PCI following in second place with 61%. While 77% seems high, as the report points out, universities face serious financial penalties if they're compromised so it is surprising that it isn't even higher.
Unfortunately, the report didn't have much new to recommend in terms of strategy as the next steps for education were, again, a similar message of "determine threats, educate, and re-evaluate as needed."
When it comes to regulation adherence, government takes the cake--known for its veritable army of acronyms--FISMA, ITAR, DIACAP, and NIST to name a few.
Government echoed some of the top concerns mentioned by others, but the report drilled down to find out more, in detail, of how the concerns played out.
The report found that: "60% of government agencies were focusing primarily on Excessive Sharing, 50% on Proprietary Information, 52% on data that is deemed confidential, 59% on Personally Identifiable Information (PII), 41% on Payment Card Industry (PCI) data, and 2% on password information."
Understandably, the tech industry's numbers were a little different than others. About 81% of users in the field are creating cloud content, and 1% owns only 55% of the data, making a far less concentrated ownership as well.
Exposure rates are lower in tech too, with 1% of users responsible for 57% of organization-wide exposures and 68% of exposures to the public. Once again, excessive sharing took the top spot, but it's much higher in tech with 83% saying they were concerned. PCI took the second spot with 41%.
Due to the sensitive nature of EMR, and the growing regulatory environment around it, it's no wonder that 72% of healthcare organizations were concerned about excessive sharing and 38% were concerned about PII. However it's surprising that PII wasn't much higher.
As medical innovations continue to advance, it may be possible that we see IP move up the ranks closer to the top concerns.
In this industry only 44% of users create content. Although, 80% of organization-wide exposures and 99% of public exposures can be credited to 1% of users. As shocking as those numbers are, the author of the report said they are also encouraging as it means remediation is concentrated as well.
The top three concerns for financial services are as follows: Excessive sharing (75%), PII (59%), and PCI (55%).
- Cloud security: 10 things you need to know (TechRepublic)
- Why promises about cloud security make me uneasy (TechRepublic)
- Mini-glossary: Cloud computing terms you should know (TechRepublic)
- Cloud Data Storage Policy (Tech Pro Research)