- Shadow IT continues to affect organizations, which is undermining their cloud security and exposing sensitive data to breaches, according to a survey of 450 IT and cybersecurity professionals from a range of industries including healthcare.
Shadow IT is the use of unsanctioned personal devices and cloud services and apps by employees. A whopping 93 percent of survey respondents said they continue to deal with shadow IT, and half cited lack of security controls and misconfigurations as leading to data breaches and fraud, according to the Oracle and KPMG Cloud Threat Report 2019.
One-quarter of respondents said that shadow IT was their largest cybersecurity challenge.
In addition, 90 percent of chief information security officers surveyed said they are confused about their role and responsibilities in securing software as a service and other cloud services.
Eighty-two percent of cloud users have experienced security events due to confusion over the shared responsibility model. A full 71 percent of respondents said that employees are violating formal policies regarding cloud use, leading to data breaches and malware infections.
The report found that the mission-critical nature of cloud services has made cloud security a strategic imperative for many organizations. Cloud services are no longer nice-to-have elements of IT; they serve core functions essential to all aspects of business operations.
Respondents said that their top security challenge is detecting and reacting to cloud security incidents in the cloud, followed by the inability of existing network security controls to provide visibility into cloud-resident server workloads.
The survey also found an expected 3.5 times increase in the number of organizations with more than half of their data in the cloud from 2018 to 2020. Seventy-one percent of organizations indicated that a majority of this cloud data is sensitive, up from 50 percent in last year's survey. However, 92 percent said they are concerned about employees following cloud policies designed to protect this data.
“The world’s most important workloads are moving to the cloud, heightening the need for a coordinated, integrated and layered security strategy,” said Oracle Cloud Infrastructure VP of Product Strategy Kyle York. “Starting with a cloud platform built for security and applying AI to safeguard data while also removing the burden of administrative tasks and patching removes complexity and helps organizations safeguard their most critical asset—their data.”
Fifty-one percent of respondents said patching has delayed IT projects, and 89 percent of organizations want to employ an automatic patching strategy.
Fifty-three percent are using machine learning to decrease overall cybersecurity threats, while 48 percent are using a multifactor authentication product to automatically trigger a second authentication factor when anomalous user behavior is detected.
Respondents said that supply chain compromise has led to malware infection in 49 percent of cases, followed by unauthorized access of data in 46 percent of cases.
Only around 10 percent of organizations can analyze more than 75 percent of their security event data.
An increasingly mobile workforce accessing both on premise and cloud-delivered applications and data complicates how cybersecurity professionals must think about their risk and exposure. In 2018, the number one area of investment was training, but in 2019 training has slipped to number two and has been replaced by edge-based security controls.
“As organizations continue to transition their cyber security thinking from strictly risk management to more of a focus on business innovation and growth, it is important that enterprise leaders align their business and cyber security strategies,” said Tony Buffomante, U.S. Leader of KPMG’s Cyber Security Services.
“With cloud services becoming an integral part of business operations, there is an intensified need to improve the security of the cloud and to integrate cloud security into the organization’s broader strategic risk mitigation plans,” he concluded.