How the ‘fast and furious’ pace of cloud is increasing risks to data protection
As we look back across 2019, organizations saw a tremendous increase in not only the use of cloud for business, but the valuation of the data and applications hosted in the cloud. According to , seven out of 10 indicated they use more business-critical cloud services than in 2018.
Businesses have been utilizing cloud services in their business for years, but only recently have we seen a remarkable shift to the growth of business-critical data and services in the cloud. While this is great for organizations that seek to reduce their costs and increase their capabilities for customers and employees, the fast-paced nature of some cloud initiatives is creating unnecessary risk combined with the real-world challenges of today’s business.
Prediction #1: The Increasing frequency of incidents will drive change in the boardroom
With less than half of global companies sufficiently prepared for a cyber-attack, according to , business leaders are looking within the boardroom to better understand how cyber-risk, privacy and data protection is now a “distributed responsibility” for the c-suite. CEOs now play a central role in ensuring the entire c-suite is playing a role in reducing risk and ensuring data/privacy protections. No longer is it solely the domain and responsibility of the CISO or the IT department. In fact, more and more businesses are leveraging BISOs (Business Information Security Officers) as a business focused leader with an eye for security and privacy within the line of business.
Prediction #2: The top at-risk industries will see a disproportionate frequency of cyber-attacks
While there are other industries that see more attacks on an annual basis, there are industries that are less prepared with a higher value of data and this increases their risk. Healthcare tops out the list followed by manufacturing, finance, government and utilities. It is expected that the healthcare industry will see a 4x increase in ransomware attacks from 2017 to 2020, according to Cybersecurity Ventures. Manufacturing risk is centered around supply chain compromises while finance is dealing with increased cases of financial fraud and theft. The utilities industry invests less than 0.2 percent of their revenue in cybersecurity putting the country at risk around infrastructure outages. Some industries are fighting back with increased investments in cyber resiliency programs. The US now spends more on cybersecurity activities ($15b) than the overall defense spending of Norway and North Korea combined.
Prediction #3: Supply and demand shortages for cybersecurity positions will reach a critical mass
There are changing dynamics in the tech sector including the expansion of opportunities to women and growth of roles overseas. The challenge for the cybersecurity sector is not availability of positions, it’s the ability to fill them with qualified staff. Oracle predicts there will be nearly 3 million unfilled security positions in 2020, and climbing. Cybersecurity has held the title of zero-percent unemployment since 2011, , and Oracle sees no change on the horizon. Some markets are ripe with talent, as seen in the DC area where the cyber workforce is 3.5x larger than the rest of the country combined. While this bodes well for the DC based businesses, it also highlights the challenges outside of DC. One of the many drivers of organizations shifting services to the cloud is to overcome this obvious talent shortfall. Over 90% of organizations cite that cloud can provide as-secure, or more-secure capabilities, than they can provide in their own data center. Complicating things further, analysts can make up to 3.5x more per year as a “bug hunter” than working to defend against the flaw. While many will struggle to fill their reqs with qualified staff, others will take advantage of the experienced staff on hand with the average cloud service provider to solve these shortcomings.
Prediction #4: Every employee will be personally attacked in an effort to exploit corporations
In 2019, FireEye reported that 91% of cyber-attacks leveraged a phishing attack on the front end of the attack chain. This is critical to note as it highlights the growing trends in attackers targeting employees by scouring public career pages to understand reporting structures and roles, and then perform targeted phishing attacks (spear-phishing) to exploit application/data owners or even executive management. With training as a top area of spend, much of this increased spending is designed to help counter the top area of risk…employees who knowingly or unknowingly expose the business. Attackers are finding numerous ways to exploit the privileged user and exploit financial, HR and supply chain systems. This includes theft of credentials directly via cloned business services, or repurpose stolen consumer credentials that often share a password with the same business user.
Prediction #5: Rate of cloud adoption will drive new strategic imperatives to mitigate risk
In war, you can’t easily defend the sky with ground troops. Same in IT, as cloud defense takes a different approach than the enterprise. Most have shifted into cloud with only a bare foundation of security controls such as identity management, but lacked the overlapping layers of security that must be carried into the cloud. According to the Oracle and KPMG Cloud Threat Report, only 10% of organizations are able to collect, analyze and respond to the majority of their security event telemetry. 93% are dealing with cloud application use that is not in line with corporate guidelines and policies with sensitive business data. Security teams are up against hundreds of cloud services that are either free or acquired via a credit card, that can be onboarded and in use with sensitive business data without any knowledge or awareness of the security and risk teams. This ability to deploy cloud faster than organizations can implement security and risk programs, creates a strategic imperative around risk.
These predictions highlight what many organizations will experience in 2020 when they focus only on secure strategies, and not placing a greater focus on the inclusion of a security-minded culture. For more help in understanding the development of your culture, download the Oracle and KPMG Cloud Threat Report to understand leading practices and efforts that organizations are leveraging to mitigate risk and threats inside their business.
Greg Jensen is a security and risk leader for Oracle Cloud with 25 years of experience in security. Greg is also the Sr editor of the Oracle and KPMG Cloud Threat Report, contributed writer for Dark Reading and Cloud Security Alliance. Greg is also a regular conference presenter at conferences such as RSA Conference, Oracle OpenWorld, Cloud Security Days and with media. He can be followed on LinkedIn or Twitter.