News

As Ransomware Reigns, Few Organizations Encrypt Cloud Data, Security Study Shows

• By David Ramel
• 10/27/2021

A new cloud security study shows that despite the recent surge in ransomware attacks, few organizations are encrypting most of their sensitive data, which is one of the most recommended best practices to mitigate such attacks.

"Only 17 percent of respondents indicated that they encrypt more than 50 percent of sensitive data that they host on cloud environments. In other words, it is uncommon for companies to encrypt most of their sensitive cloud data," says the 2021 Thales Cloud Security Study, which is based on a survey commissioned by Thales -- "a global leader in advanced technologies" -- and conducted by 451 Research.

The report continued: "Sectors such as financial services, transportation, and media and entertainment are only marginally better at 21 percent saying they encrypt more than half of their sensitive data. There may be a correlation between encryption and the effort of maintaining a multicloud presence. According to global survey results, the proportion of respondents who have adopted multicloud and encrypt more than 50 percent of their sensitive data in cloud drops to 15 percent. Finally, the use of encryption is also split between those using their own encryption capabilities (at 35 percent) and those using encryption offered by the cloud provider (at 55 percent)."

The study surmises that multicloud organizations indicated slightly lower average encryption usage because they appear to understand going multicloud is not a zero-cost effort, so they may have shifted their attention away from encryption.

The research report is based on a global survey of 2,625 respondents, fielded in January 2021, via a web survey with targeted populations for each country, aimed at professionals in security and IT management. In addition to criteria about level of knowledge on the general topic of the survey, the screening criteria for the survey excluded those respondents who indicated affiliation with organizations with annual revenue of less than US$100m and with US$100-250m in selected countries. While the survey was conducted in January of this year, the ongoing ransomware surge was well along in 2020, with one report indicating that ransomware attacks soared 150 percent last year, thus characterizing the results as being reported amid the ransomware surge is accurate.

"According to the study, one fifth (21 percent) of businesses host the majority of their sensitive data in the cloud, while 40 percent reported a breach in the last year," Thales said in an Oct. 27 news release. "There are some common trends as to where companies turn when considering how to secure their cloud infrastructure, with 33 percent reporting multi-factor authentication (MFA) as being a central part of their cybersecurity strategy. However, only 17 percent of those surveyed have encrypted more than half of the data they store in the cloud. This figure drops to 15 percent where organizations have adopted a multicloud approach. Even where businesses protect their data with encryption, 34 percent of organizations leave the control of keys to service providers rather than retaining control themselves. Where large numbers of organizations fail to protect their data sufficiently with encryption, limiting potential access points becomes even more critical. However, nearly half (48 percent) of business leaders globally admitted their organization does not have a Zero Trust strategy, and a quarter (25 percent) aren't even considering one."

Backing up and fleshing out many of those stats, here's a list of key highlights from the report:

• Multicloud adoption is widespread. On a global basis, 57 percent of respondents indicated that they use two or more from a select group of six large cloud providers for infrastructure as a service/platform as a service (IaaS/PaaS).
• Software-as-a-Service (SaaS) usage is even more pervasive. The survey showed that the use of SaaS applications is widespread across all geographies, verticals and company sizes, with a calculated weighted global average of about 60 applications.
• Security teams have a key role in defining security policies for clouds. While there are nuances on how cloud security controls ultimately get implemented, 82 percent of respondents indicated that security teams are responsible for defining cloud security policies.
• Cloud complexity is a common concern. Nearly half (46 percent) of global respondents (the majority of those with an opinion on this topic) agreed or strongly agreed with a statement indicating that "within their organizations, it is more complex to manage privacy and data protection regulations in a cloud environment than on-premises."
• Many choose 'lift & shift' for their cloud migrations. While not all organizations move to cloud -- many adopt hybrid models, for example -- those that are migrating some of their workloads indicated -- at 55 percent globally -- some preference for lift & shift versus re-architecting applications.
• A few common technologies emerge when considering how to secure cloud deployments. When asked to rank which technologies they consider key for securing cloud environments, the top choices ranked first, second or third by respondents were cloud security tools (cloud security posture management, cloud workload protection, cloud identity and access management); data loss prevention; encryption; and multi-factor authentication (MFA) at 38 percent, 38 percent, 37 percent and 33 percent, respectively.

Eric Hanselman, chief analyst at 451 Research, commented on the survey: "Protecting customer data is always the priority, and organizations should strongly consider reviewing their strategies and approaches to proactively protect data in cloud. This includes understanding the role of specific technologies including encryption and key management, as well as the shared responsibilities between providers and their customers. As data privacy and sovereignty regulations grow, it will be paramount that organizations have a clear understanding of how they remain responsible for data security and make clear decisions about who is in control and who can access their sensitive data."