Study: Using Cloud Could Be Dangerous and Expensive

Survey shows IT and security pros wary of potentially expensive cloud data breaches.

A new survey of IT and security pros shows they have little knowledge of the scope of cloud services in use at their companies and are unsure of who is responsible for securing these services.

Furthermore, IT pros believe using cloud services increases the risk of data breaches that can easily cost victimized companies millions of dollars, considering that prior research put a price tag of about $201 for each customer data record lost or stolen.

The study, "Data Breach: The Cloud Multiplier Effect," was conducted by Ponemon Institute for Netskope, a cloud application analytics and policy enforcement company.

Netskope yesterday released what it claims is the first-ever research conducted to estimate the cost of a data breach in the cloud, gathering information from a survey of 613 IT and security professionals. They were asked to estimate the probablity of a data breach involving 100,000 or more customer records at their organizations under current circumstances and how the increased use of cloud services would affect that probability. The conclusion, Netskope said, is that increased cloud use could triple the risk of such a data breach.

And that breach could be quite expensive for a company, according to the study, which extrapolated the potential cost by using data from a previous Ponemon Institute report released last month, "Cost of a Data Breach." It pegged the cost of each lost or stolen customer record at about $201, meaning a 100,000-customer breach could cost more than $20 million.

IT and security pros show little trust in their organizations' security practices.
[Click on image for larger view.] IT and security pros show little trust in their organizations' security practices.
(source: Netskope)

"Imagine then if the probability of that data breach were to triple simply because you increased your use of the cloud," said Sanjay Beri, CEO and founder of Netskope. "That's what enterprise IT folks are coming to grips with, and they've started to recognize the need to align their security programs to account for it. The report shows that while there are many enterprise-ready apps available today, the uncertainty from risky apps is stealing the show for IT and security professionals. Rewriting this story requires contextual knowledge about how these apps are being used and an effective way of mitigating risk." That, of course, is what Netskope seeks to sell to customers.

Several factors contribute to the general perception that an organization's high-value intellectual property and customer data are at higher risk in today's typical corporate environment when the use of cloud services increases. For example, respondents said their networks are running cloud services unknown to them, they aren't familiar with cloud service provider security practices and they believe their companies don't pay enough attention to the implementation and monitoring of security programs.

"Cloud security is an oxymoron for many companies," the report stated. "Sixty-two percent of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment. Sixty-nine percent believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud."

Also worrisome is the percentage of business-critical applications entrusted to the cloud. Survey respondents estimated that about 36 percent of such apps are cloud-based, yet nearly half of them are invisible to IT. Respondents also said 45 percent of all applications are based in the cloud, but IT lacks visibility into half of them.

Similar cloud-related security research conducted earlier by Ponemon Institute indicated that 53 percent of organizations were trusting cloud providers with sensitive data. Only 11 percent of respondents in that survey said they didn't plan on using cloud services in the next couple of years.

According to yesterday's report, respondents also don't seem to trust their cloud service providers much. "Almost three-quarters (72 percent) of respondents believe their cloud service provider would not notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information, and 71 percent believe they would not receive immediate notification following a breach involving the loss or theft of customer data," the report stated.

Netskope listed the following highlights of the study:

  • Respondents estimate that every 1 percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach. This means that an organization using 100 cloud services would only need to add 25 more to increase the likelihood of a data breach by 75 percent.
  • More than two-thirds (69 percent) of respondents believe that their organization is not proactive in assessing information that is too sensitive to be stored in the cloud.
  • 62 percent of respondents believe the cloud services in use by their organization are not thoroughly vetted for security before deployment.

"We've been tracking the cost of a data breach for years but have never had the opportunity to look at the potential risks and economic impact that might come from cloud in particular," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "It's fascinating that the perceived risk and economic impact is so high when it comes to cloud app usage. We'll be interested to see how these perceptions change over time as the challenge becomes more openly discussed and cloud access and security broker solutions like Netskope become more known to enterprises."

The 26-page report is available in a PDF download after free registration.

About the Author

David Ramel is an editor and writer for Converge360.

Must Read Articles