Despite storing more than half their data to the cloud, Canadian organizations only allocate 34 per cent of their cybersecurity budgets to cloud security, according to a new survey from Telus.
In fact, 99 per cent of respondents admitted that if they could go back and migrate to the cloud all over again, they’d spend more time on at least one aspect of security.
The biggest area they wish they’d spent more time on was threat and risk, followed by monitoring and detection, and threat prevention controls.
It may explain why respondents said they plan to increase cloud security spending by 22 per cent this year.
The numbers come from a Telus survey of 511 cybersecurity professionals, released Wednesday. Completed last fall, those questioned included infosec decision makers and influencers from a wide range of industries and organization sizes. Of the respondents, 60 per cent identified themselves as very knowledgeable about cybersecurity, with 40 per cent identifying as knowledgeable.
Among the highlights
— on average, businesses are using up to 8.5 cloud service providers. The most common are infrastructure-as-a-service providers such as Amazon AWS, Google Cloud Platform and Microsoft Azure;
— only 14 per cent of respondents said their organization puts their most valuable data in the cloud;
— 57 per cent of respondents believe their cloud environments are very or completely secure;
— only 37 per cent of respondents said they have dedicated cloud security professionals. Of those, 16 per cent said they outsourced some aspects of securing their cloud assets;
— 33 per cent of respondents said staffing for cloud security skillsets is the most difficult of all cloud specialties to find. (Next was those with cloud and DevOps experience, at 14 per cent.);
— only 38 per cent said their firm uses multi-factor authentication to secure their clouds, while 32 per cent said they use cloud workload protection platforms and/or cloud security posture management solutions (multiple answers were allowed);
— almost a third of respondents agreed a lack of tools to monitor, detect, and respond to cyber threats was a major gap in their cloud environments;
— 89 per cent of respondents said their organization had experienced a cloud security incident. That is defined as an event that potentially impacts the confidentiality, availability, and/or integrity of computer networks, systems, or data.
— 58 per cent of respondents said their organization has an updated and tested incident response plan. Another 34 per cent said their IR plan is periodically updated, but not tested.
“To me, one stat says it all,” commented Kim Schreader, director of cybersecurity professional services at Telus. “Ninety-nine per cent – almost all – respondents report that if they could adopt cloud over again, they’d spend more time on at least one aspect of security. Cloud is playing a larger role for many organizations, and this stat highlights how prioritizing visibility and robust protections of these environments is and will continue to be paramount.”
Respondents said on average their organization has experienced four to five cloud security incidents a year. Of the most damaging incidents, nearly half spread to on-premises environments.
The top causes of incidents were human error, known vulnerabilities, and misconfigurations. The average direct cost of a cloud security incident among respondents was $438,000. The average response time to a cloud security incident was three days.
In fact, over a third of respondents said their expectations of improved security were not met.
That was mirrored in another survey released this month by CDW Canada, where 34.7 per cent of respondents who had migrated workloads to the cloud said it has underdelivered on their security expectations.
Generally, the Telus report says, respondents had a positive cloud experience. However, 88 per cent of respondents said they were disappointed with at least one outcome of cloud adoption. Unmet expectations included improved security (cited by 36 per cent of respondents), improved IT management and agility (34 per cent), cost savings (32 per cent), enhanced functionality (28 per cent) and workload standardization (cited by 27 per cent of respondents).
There are many reasons why an organization may be unable to derive the expected value from the cloud, the report says, including inadequate cloud migration processes, running non-cloud native applications, or a lack of required skill set.
The report has a number of recommendations for CISOs:
— don’t underestimate the value of following frameworks like NIST, ISO/IEC 27001 or others;
— undergo regular proactive security assessments or audits;
— give staff comprehensive cloud security awareness training;
— enable and configure any included security controls your cloud provider offers;
— extend vulnerability management tools into your cloud;
— and deploy MFA everywhere.
The Telus report is available here. Registration is required.
