In a recently released survey, Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices I found some good news, some surprising news, as well as some disappointing news.
First the good news: more organizations today do realize that human behavior is one of the biggest challenges to maintaining adequate levels of security. According to the survey, this year, 93% agreed that human behavior is still an “obstacle to security” compared to 88% who thought the same last year.
Considering that security breaches are made possible by everything from clicking on maliciously crafted phishing to poor software development practices and patch management processes. It’s good to finally see the level of awareness that information security is a people problem, first. In years past it was all too common to see surveys where respondents viewed IT security as a technical problem almost entirely. The reality is human behavior plays a role in nearly all aspects of cybersecurity.
Another good note in this survey is that nearly all respondents, at 96%, reported having an incident response readiness policy in place, while 68% said that they test their ability to respond to ongoing attacks more than once a year. Additionally, 82% of respondents said that they have a BYOD policy – a nice surge over the responses last year, which only hit 69%.
The survey also indicated that many enterprises that planned to migrate to cloud may have completed a good portion of those planned migrations, with 71 percent of survey respondents reporting having migrated data to cloud. The survey also found that the vast majority, 86%, of survey respondents believe that cloud creates unique cybersecurity concerns such as:
- Losing visibility into the management of data.
- Being at the mercy of the cloud entity’s cybersecurity skills.
- Reducing control over access to data.
- Creating confusion about what happens when the government wants to inspect the data.
Other security concerns mentioned include: Lack of regulatory compliance, variations in cloud provider [abilities], and operating in a shared environment.
While many of those concerns have validity, they are not the full picture of the risks associated with cloud computing.
As was discussed in this Q&A with Jim Reavis of the Cloud Security Alliance – When it comes to cloud security which is better? Heavy hand or gentle policing? many of the transparency challenges associated with cloud computing have improved considerably in recent years, and security vendors have also improved the ability of their tools to monitor cloud traffic and enforce security polices. What the survey didn’t highlight was how many enterprises, if not most in my opinion, find security is enhanced by moving to cloud. In fact, cloud services providers can make investments in security and monitoring that many enterprises just can’t match, as these costs and security benefits, are spread over many clients.
The lesson here is that while there are still some challenges regarding cloud computing and security, there are also many benefits and both need to be balanced in order to gain a full understanding of how much to cloud computing actually changes organizational risk.