Gartner: Cloud-Smitten Companies Facing “Unpredictable” Cybersecurity Threats

Cloud computing enables the much-needed speed and agility demanded in our digital economy era. Embracing the cloud can generate significant cost savings as well as new revenue streams. However, the cloud-first mindset may be sending digital businesses down a dangerous path.

Cloud computing is now the top risk concern for executives in risk, audit, finance and compliance, Gartner notes in its latest quarterly Emerging Risks Report. The research is based on data sourced from 110 senior executives working in those four verticals. Information security risks like “cybersecurity disclosure” and “GDPR compliance” ranked among the top five concerns of the executives surveyed.

Leaders need to better balance their tech spending

“Social engineering” and “GDPR compliance” are the most likely to cause the greatest enterprise damage if not adequately addressed, analysts found. The report reveals that only 18 percent of the cross-functional executives polled currently regard social engineering (i.e. phishing, fraud, tech support scams etc.) as a significant enterprise risk.

“Executives are right to expand cloud services as part of their digital business initiatives, but they need to ensure their cloud security strategy keeps up with this growth,” said Matthew Shinkman, practice leader at Gartner. “Leaders should start by clearly identifying their most at-risk areas, which remain obscure to many large organization leaders.”

The think tank forecasts cloud computing to be a $300 billion business by 2021. However, the same research found that organizations have lost an estimated $400 billion to cyber theft and fraud worldwide in the last two years. Gartner recommends that leaders balance their spending on technology more efficiently, shifting more focus to their cybersecurity strategy.

“Executives should expect cybersecurity threats to affect organizations in unpredictable ways,” Gartner notes. “Through 2022, at least 95 percent of cloud security failures will be the fault of the organization. As more sophisticated tactics such as social engineering are engineered to compromise sensitive data, organizations should expand their cybersecurity team to address evolving digital risks.”

Cloud isn't a 'one-size-fits-all' thing

Gartner’s research indicates that the issue at heart is the “cloud-first” mindset, which IT experts have mixed feelings about. Enterprise networking specialist Andrew Froehlich, for example, condemns this school of thought. In a commentary for InformationWeek last year, Froehlich underscores that in many organizations, the cloud-first approach has morphed into a cloud-only approach, which can lead to all sorts of complications and unpredictable issues – including security problems.

Robert Haynes, a solutions architect with two decades of experience in IT, agrees:

“The ranks of enterprises with no cloud policies are rife with employees bringing in their own mobile devices and using their preferred services. An increasingly mobile workforce and the emergence of connected business devices, from printers to your company’s heating system to the break room refrigerator—the Internet of Things—are powered by on-demand services, making the cloud even more important at work … With attackers becoming more sophisticated, you need to secure your cloud applications and make smart decisions about how to spend resources on security,” Haynes wrote in a 2017 blog post.

The concerns surrounding cloud adoption with disregard for security aren’t new either. Discussing cloud adoption as a risky trend, panelists at a Massachusetts Technology Leadership Council seminar in 2014 warned that security should have a central role in the cloud-first model.

Chris Wysopal, co-founder and chief technology officer at Veracode, said at the time, "[Cloud] is a new infrastructure, and you have to understand how to use it securely. You can't use all of the traditional security technologies, so a lot of it is educating yourself on how to do it correctly."

As businesses continue to move their corporate data to public cloud solutions, the risks of losing control of that data grow as well. It is therefore important that business leaders make cloud deployments a part of the organization’s overall cybersecurity strategy, establishing a clear set of policies, technologies, and controls destined to protect their cloud data.