96% of companies report insufficient security for sensitive cloud data

The vast majority of organizations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).

The CSA report surveyed 1,663 IT and security professionals from organizations of various sizes and in various locations.

“Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organizations have insufficient security for at least some of their sensitive data,” according to the report, which was sponsored by data intelligence firm BigID.

Apart from struggling with securing sensitive data, organizations are also having trouble tracking data in the cloud. Over a quarter of organizations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.

“This suggests that organizations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organizations need to utilize data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.

Dark data comprises the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes, according to market research firm Gartner.

About 79% of organizations have moderate to high levels of concern around the proliferation of dark data in their organization but are unsure about how to approach the issue.  

Dark data causes security gaps

“Without getting a handle on the issue of dark data, organizations can’t properly understand their data risk posture or assess their attack surface. This can only lead to vulnerabilities and security gaps,” the report said.

Organizations also need to define a unified approach to tackling dark data to avoid competing priorities in siloed departments. “Establishing a single source such as a data inventory can provide disparate departments with the base knowledge they need to work more cohesively,” the report noted. 

When it comes to SaaS platforms, 76% of organizations rated tracking data as moderately to highly difficult. “The difficulty of data tracking is particularly concerning when considering the amount of sensitive data that organizations have in SaaS platforms,” the report said. 

“Forty percent of organizations indicate that 50% or less of their sensitive data in the cloud has sufficient security,” according to the report.

Most companies expect a data breach in next 12 months

About 62% of organizations reported they are somewhat highly likely to experience a cloud data breach in the next year.

Organizations that have experienced a breach believe a data breach is more likely to happen in the future, with only 8% reporting a data breach in the next 12 months to be very unlikely.

For organizations that hadn’t experienced a breach in the past 12 months, 22% indicated that a breach in the next 12 months is very unlikely, according to the report.

Most organizations use four to five components for their data protection strategy. Data backup and recovery, auditing and assessing data protection processes, adhering to standards and regulatory compliance, and establishing policies and procedures were some of the most common components that over a third of survey respondents were using.

However, use of components such as triaging alerts, zero trust, and data sovereignty were each used by less than 20% of organizations participating in the survey, indicating that most organizations are yet to fully integrate zero trust in their data protection strategies. 

Third parties and suppliers have access to sensitive data

In light of recent supply chain attacks, organizations should secure their sensitive data from their third party contractors and partners. However, organizations appear to give nearly identical levels of access to sensitive data in their organization to employees, contractors, partners, and suppliers, the report said.

Two out of three data breaches are the result of vulnerabilities from suppliers and third parties, according to a study by Colorado State University. Considering the enormity of these implications, organizations need to understand who has access to their sensitive data and lock down access, in particular to third parties, according to the CSA report.