Human error is the greatest risk to companies moving their systems and data to the cloud, according to a recent report from Kaspersky Lab. The Kaspersky Lab Global Corporate IT Security Risks Survey examined data based on 7,186 interviews with companies of different sizes in 24 countries.

Nine out of every 10 cloud data breaches are not the fault of the cloud service provider, but originate back to human errors made by the company’s employees, the report found.

“The first step for any business when migrating to the public cloud is to understand who is responsible for their business data and the workloads held in it,” Maxim Frolov, vice president of global sales at Kaspersky Lab, said in a press release. “Cloud providers normally have dedicated cybersecurity measures in place to protect their platforms and customers, but when a threat is on the customer’s side, it is no longer the provider’s responsibility. Our research shows that companies should be more attentive to the cybersecurity hygiene of their employees and take measures that will protect their cloud environment from the inside.”

SEE: Internet and email usage policy (Tech Pro Research)

According to the report, cybercriminals are using phishing and other social techniques to dupe company employees into giving them access to sensitive data stored on their cloud platform.

“If a user is enticed to open a fake email, download a harmful program, or click on an illegitimate web link, they then become responsible for compromising their corporate network rather than the service provider supplying the infrastructure,” the report noted. “When we examine the origin of the attacks, just 11 percent of incidents were caused by the cloud provider. This makes it clear that the responsibility to ensure the cloud is safe should not be delegated to the cloud provider by default but should be shared amongst everyone involved.”

Companies are increasingly realizing that the cloud offers a multitude of opportunities to save money and make certain processes faster, the report noted. Cloud services make it easier to manage and store information, and more SMBs as well as enterprises are continuing to move sensitive data to the cloud.

SEE: Cloud providers 2019: A buyer’s guide (free PDF) (TechRepublic)

More than 20% of companies surveyed said they were already moving sensitive personal information about customers’ identities into cloud storage platforms.

“It is easy to assume that the responsibility for keeping what is stored in the cloud secure should lie with the provider of cloud platform. However, the responsibility to mitigate the threat of a data breach does not solely lie with them. In fact, it remains much more likely for organizations to suffer a breach due to simple and preventable staff mistakes,” the report said.

“When it comes to human factor, sensitive data suffers the most. Around nine-in-ten SMBs (88 percent) and enterprises (91 percent) that have experienced a data breach affecting the public cloud infrastructure they use, said social engineering was part of the attack. The top three types of data that were stolen were: information that confirms customer identity, customer payment information and user authentication credentials.”

These types of attacks are devastating for many companies, both reputationally and monetarily. The average cyberattack costs SMBs $206,000, while bigger companies average a loss of about $2 million, the report said.

Many of the companies that participated in the survey admitted that they were worried about cloud safety, but that they were not equipped to address the issue. Nearly 30% of SMBs and 20% of enterprises said they were either not equipped or somewhat equipped with security measures that could protect the data they have stored in the cloud.

Despite the fear, most of the companies did not have security programs specifically tailored to their business, leaving them vulnerable to attacks.

The study also broke down which sectors are adopting cloud programs the most, finding that utilities and power companies currently use or plan to use cloud programs. Companies in IT, finance, manufacturing, retail and healthcare were all seeking to move at least some of their data to the cloud, the report found.

Kaspersky gave a detailed list of ways companies can start to protect their information stored on the cloud. First and foremost, companies must raise awareness among their employees about the dangers of opening or downloading certain files. Companies should also warn departments about the dangers of circumventing the IT office and using cloud services without notifying them.

The report also recommended using an endpoint security solution to prevent social engineering attacks.

“Do not delay implementation of the protection for cloud infrastructure,” it said. “When migrating to the cloud, understand your migration roadmap and areas of responsibility for each type of cloud platform you use.”