What Data Do Organizations Store in the Cloud?
Classifying data can minimize threat risks
According to IDC, data worldwide will grow by 61%, to 175 zettabytes by 2025, with 49% of all data stored in public cloud environments. This data is not limited to public information; the 2019 Netwrix Cloud Data Security Report found that the cloud is often used to store many types of data, from less sensitive to extremely critical. However, 35% of organizations that store data in the cloud experienced at least one security incident so far in 2019, which means that many organizations lack sufficient security controls. Let’s take a closer look at the data that’s being stored in the cloud, so we can identify the necessary measures to protect those assests.
According to the Netwrix study, 50% of all organizations store employee data in the cloud. Of 25 industries that were surveyed, the top three types of companies that store their employee data in the cloud are technology companies, financial organizations, and educational institutions. According to the study, 57% of tech companies, 50% of financial organizations, and 38% of educational institutions store their employee data in the cloud. Financial organizations moved this data to the cloud primarily to ensure availability for remote workers, and tech companies and educational institutions did so to increase cost efficiency.
In the past 12 months, 35% of these organizations experienced compromising incidents. The main threat patterns behind the incidents were accidental errors (16%), malware (13%), and external attacks (12%). However, 52% were not able to identify who was behind the incidents, and of those who were able to, 21% named business employees as the key threat actor.
To better secure employee information, 41% of organizations try to provide sufficient budget for cloud security, and 34% require periodic status reports. At the same time, only 20% of organizations that store employee information in the cloud received an increased budget for cloud security this year.
Just like employee information, 50% of all organizations store customer data in the cloud. Most of them are technology companies (62%), financial organizations (46%), and health care providers (45%). Interestingly, financial organizations and tech companies moved customer data to the cloud to strengthen security, while health care organizations are more concerned about cost efficiency.
Of the organizations storing customer dating in the cloud, 31% suffered at least one security incident in the past 12 months. The key threat patterns associated with customer data compromise were accidental errors (13%), external attacks (12%), and malware (9%). Unfortunately, 57% of organizations couldn’t identify who was responsible for the incidents. Of those who could identify threat actors, 14% placed responsibility for security incidents on their cloud providers.
Management at organizations that store customer information in the cloud try to support cloud security initiatives primarily by requiring periodic status reports (26%). Unfortunately, only 33% of respondents say that they get sufficient budgets to secure customer data — the lowest result among all other data types — and 22% say that their management doesn’t provide any budget for cloud security.
Financial data is stored in the cloud by 26% of organizations surveyed. According to the Netwrix’s research, 41% of financial organizations, 29% of health care organizations, and 21% of technology companies store this sensitive data in the cloud. Financial organizations mainly move their data to the cloud to ensure availability for remote workers, health care organizations in order to cut costs, and tech companies to ensure security.
Among all respondents that store financial data in the cloud, 39% had at least one security incident in the past 12 months — the second highest result among all data types. The main threat patterns they report are accidental errors (18%), malware (14%), and external attacks (12%). Unfortunately, almost half of respondents (49%) said that they were not able to identify who is actually to blame for incidents. Those who could identify the threat actor said it was their business users (18%).
Organizations show stronger interest in protecting financial data in the cloud than other types of data: 41% are ready to allocate budget for cloud security, 38% require periodic status reports, and 27% cite protection of payment data as a reason to increase their cloud security budgets in the future.
Intellectual property (IP)
Netwrix found that 16% of organizations store IP in the cloud. They include consulting (41%), tech companies (20%), and manufacturing companies (20%). While consulting companies and tech companies opt to store IP in the cloud because of security concerns, manufacturing companies do it to ensure availability for remote workers.
IP is often a tempting target for attackers, as 42% of companies said that they had incidents that resulted in leak of IP — the highest result among all types of data. Top causes included external attacks (22%), accidental errors (19%), and malware (17%). However, almost 45% of organizations failed to identify the threat actors behind the incidents. Those who managed to identify them named business employees as the number one threat (24%).
Because intellectual property has great value for business, it is extremely vulnerable to security threats. No wonder companies that store IP in the cloud have a more proactive approach toward cloud security than organizations that store other types of data there. They are ready to allocate sufficient budget (43%) and invest in the education of IT staff (35%). They are also the most willing to increase budgets for cloud security (29%).
Health Care data
Like any other industry-specific data, health care data is relevant to a limited number of respondents. Most of these organizations operate in the health care, education, and technological sectors. Almost half of all health care organizations surveyed (49%) store personal health information and other health care data in the cloud, followed by 15% of educational institutions, and 13% of tech companies. While health care organizations and educational institutions move this data to the cloud for cost efficiency, tech companies do it for security reasons.
In the past 12 months, 35% of organizations had incidents that resulted in the compromise of health care data. They blamed external attacks (20%), accidental errors (19%), and malware (14%). Unfortunately, the majority of them (56%) say that they don’t know who is responsible for the security incidents. Those who managed to identify threat actors say that mainly business employees were behind the incidents (19%).
To ensure the security of health care data in the cloud, organizations require periodic status reports (46%) and allocate sufficient budgets (41%). Additionally, 22% are also ready to increase budgets for cloud security.
Can data classification mitigate security risks?
Analysts say that data classification enables organizations to mitigate security risks and protect their sensitive data better. For example, Gartner stated, “Data classification also allows organizations to focus their security and compliance efforts on sensitive information, to standardize and apply controls commensurate with risk, and to streamline those activities within business processes.”
Unfortunately, more than 60% of organizations, regardless of which data types they store in the cloud, say that they don’t classify all their data, which makes them vulnerable to security risks.
The Netwrix report found a strong correlation between classifying data and having fewer security incidents. More than 40% of those who don’t classify their data suffer from security incidents; for those who do it, data classification cut the rate of incidents in half.
It is clear that organizations do not treat all their data equally. Since the security of IP and financial data is often associated with strategic decision-making and business growth, organizations are ready to allocate substantial budget to secure it. But they are often not ready to invest in the protection of customer data, even though compliance regulations work to make organizations more accountable for the security and privacy of customer data.
It is also clear that many organizations lack the visibility they need to determine who poses the biggest threat to their cloud environments and investigate incidents properly. To mitigate security risks, you need to understand what kind of data you have in the cloud and which assets are most sensitive — this will help you implement adequate controls to protect it.