Businesses are growing increasingly aware of the security risks beyond the control of their cloud provider, according to new research by B2B ratings and reviews firm Clutch.

A survey of 283 IT professionals at various cloud-using businesses across the United States uncovered that 70% prefer to store data in the cloud than on a legacy system.

More than half of the companies surveyed said they are investing heavily toward securing their data, devoting upwards of $100,000 to extra cloud security features.

The reason behind this spending, per the surveyors, is increased awareness about IT security in the business sector. Because security also needs to be ensured at an application-level, “the company and its employees shoulder the responsibility for security,” reads the report.

Application-level security

As evidenced by the WannaCry ransomware in May and the GoldenEye/Petya attack in June, companies are under increasing pressure to secure their data against cybercriminals. For those companies that lag behind, at least the UK is prepared to slap some wrists with new legislation to take effect next year.

The EU General Data Protection Regulation (GDPR), effective May 25, 2018, will require every organization to guarantee safe storage and processing of personally identifiable information of an EU resident.

Another regulation is the Health Insurance Portability and Accountability Act (HIPAA), which punishes non-compliance with fines of up to $1.5 million annually since 1996. HIPPA aims to prevent the compromise of medical patients’ sensitive information.

Haresh Kumbhani, founder and CEO of cloud consulting company Zymr, Inc., agrees that businesses are increasingly aware of the risks of not securing their cloud data.

"There is suddenly a number of people recognizing that application-level security needs to be done by the user, not the vendor," said Kumbhani. "If this is the case, then they need to invest top dollar in securing the data."

While clouds are inherently secure, application-level safeguards are imperative to account for unpredictable user errors.

IoT dangers

But businesses still have a ways to go to comply with experts’ recommendations, especially if they have their toes dipped in the IoT realm. Around 1 in 4 businesses on the cloud use Internet of Things solutions. However, these devices are often not patched after a new vulnerability is discovered.

A recent example is German IoT vendor AGFEO, which left vulnerable smart-home controllers unpatched for five months, despite being notified by SEC Consult of the dangers to end-users.

Moreover, “[IoT devices] may not even be thought of as hackable by everyday users,” reads the report. “Who would consider their baby monitor to be a security risk?”

As history has shown, it can be.

“Nascent is the first word that comes to mind [regarding IoT security],” said Jamie MacQuarrie, co-founder of Appivo, a platform for developing cloud-based apps. “For every company that properly locks down IoT-enabled machines on a factory floor, you have thousands of unsecured ‘smart’ lightbulbs.”

“Now consider a well-intentioned employee that installs an unsecured smart lightbulb in the break room, providing a gateway for hackers to pick away at the more secure internal systems. At that point, [the hackers] are across the moat and through the draw bridge, and nobody even knows it,” MacQuarrie added, offering the well-known Target payment systems hack in 2013 (involving remotely-accessible HVAC systems) as an example.

Ignoring minor vulnerabilities can have devastating effects, especially for businesses.

Encrypt, encrypt, encrypt

Some 64% of businesses have implemented additional encryption as an extra layer of security for their cloud service. A similar percentage also employ third-party software or security management, on-site inspections and tests, and regular audits.

Encryption converts readable information into a code to prevent unauthorized access. Only he who has the decryption key can unscramble the data and make it readable again. But, for all its advantages, encryption is also the preferred weapon of hackers today, as evidenced by the many ransomware variants out there.

Still, simply by following the guidelines of the Cloud Security Alliance, and by complying with regulations like the GDPR and HIPPA, companies worldwide will already have done much to secure their intellectual property and customer data.

Adding a new layer of encryption, or employing a dedicated cloud security solution further ensures safety against cyber-threats like the widely publicized WannaCry and GoldenEye/Petya attacks.