• United States



Why are organizations worldwide failing at cloud data security?

Mar 05, 20185 mins
Cloud SecuritySecurity

We speak to from Joe Pindar from Gemalto about the 2018 Global Cloud Data Security Study

cloud security data breach crime accessible
Credit: Thinkstock

Earlier this year, Gemalto released its 2018 Global Cloud Data Security Study based on responses from 3,285 IT and IT security practitioners from the US, UK, Australia, Germany, France, Japan, India and Brazil involved in both public and private cloud. This highlighted some clear regional differences with German organizations appearing twice as likely to secure confidential, or sensitive information in the cloud, than those in the UK (35%), Brazil (34%) or Japan (31%).

The findings also suggested that over half of Australian (61%), Brazilian (59%) and British (56%) businesses surveyed don’t understand all the cloud computing apps, platform or infrastructure services their organization is using. We caught up with Joe Pindar, director of product strategy at Gemalto, to discover get his take on the research and what can be done to tackle issues raised.

Did the regional differences in attitudes towards cloud data protection surprise you?

These findings, while worrying, are not particularly surprising. Traditionally, Germany has much stricter data protection laws and regulations than other European countries, and in turn their awareness of data security is higher. However, surprise or not, with the huge volume of data being migrated to the cloud, it’s unacceptable that any organization would fail to adequately secure its data.

What do you see as the wider long-term implications of these attitudes for different markets?

The biggest implication for all businesses and markets across the EU is the incoming GDPR. If this poor understanding of cloud security were to lead to a data breach, and the data of EU citizens stolen, then the compromised business would be susceptible to fines and legal repercussions. In the longer term, these data breaches can lead to a loss of consumer confidence, and ultimately damage a businesses’ bottom line, as customers move to competitors which implement cloud security properly.

What can be done to tackle them?

The simplest way for a business to tackle these issues is to conduct a data audit – a process which helps them understand what data they possess, and where it is stored, whether that’s in the cloud or on-premises. From there, a business can implement the necessary security solutions, such as encryption or key management, to keep the most vulnerable data secure, wherever it sits in an organization.

What did you find most alarming about these findings?

The most alarming thing about these findings is the lack of awareness of the cloud applications, platforms and services that many organizations are using. If organizations don’t know how or where the data they store in the cloud is being used, they can’t possibly begin to take the necessary steps toward protecting it. With GDPR on the way, it’s up to organizations to securely manage their clouds, which in turn will help them make the best use of the technology.

If you had to pull one key thing out for IT leaders and one key thing for CISOs what would they be? 

IT Leaders and CISOs need to be communicating regularly with their business leaders and board to ensure that the business’ security needs are consistently met. For IT leaders, this would involve developing a deep understanding of the tools and services an organization is using, while a CISO must take this information and present it in a manner understandable for a CEO or board. Only by doing this, can an organization begin taking the necessary steps toward securing their data.

How can companies bring IT security to the center about discussions about cloud resources?

In order to make the discussion of cloud security a priority, companies need to ensure that their CISO has a permanent seat on the company board in order to communicate the steps they need to take to protect the business to senior management. However, a CISO’s main job is keeping a business safe from external cyberattacks. As part of the upcoming GDPR legislation, businesses must hire a Data Protection Officer (DPO) to work alongside their CISO. A DPO works to guarantee the security of the data an organization holds itself, by ensuring the company is protecting the data appropriately. While these roles are hard to fill, businesses must act now to ensure they are ready when GDPR comes in to effect.

Where do you think is the biggest disconnect that stops all this happening? 

The biggest disconnect is that different departments are spinning up different clouds and servers making it harder for IT departments to know what’s going on, meaning securing the whole thing is near impossible. There needs to be a central policy, with the IT team given complete oversight on control, that way a central security policy can also be implemented. On top of all this, companies need to get rid of their ‘head in the sand mentality’ when it comes to security and assuming it won’t happen to them. Breaches will happen, so security needs to be central core of the business, rather than seen as a hindrance.