The distribution of data across devices and the cloud have critical gaps for enterprise security, Santa Clara-based cybersecurity company McAfee said in a research report.
For the report titled Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report, McAfee surveyed 1,000 enterprise organisations in 11 countries and investigated anonymised events from 30 million enterprise cloud users to gain a holistic view of modern data dispersion.
The research found that 79% of the companies surveyed stored sensitive data in the public cloud. It added that these enterprise companies approve an average of 41 cloud services each, up 33% from last year with thousands of other services are used ad-hoc without vetting.
About 26% of files in the cloud contain sensitive data, the report showed, an increase of 23% year-on-year.
One in four companies have had sensitive data downloaded from the cloud to an unmanaged personal device, where they could not see or control the data, the report said, adding that 52% of companies use cloud services that have had user data stolen in a breach. By leaving significant gaps into the visibility of their data, organisations leave themselves open to loss of sensitive data and to regulatory non-compliance.
“As much as 91% of the cloud services do not encrypt data at rest, meaning that data isn’t protected if the cloud provider is breached,” the company said.
The research said that personal devices were black holes -- 79% of companies allow access to enterprise approved cloud services from personal devices.
“... The dispersion of data creates new opportunities for both growth and risk,” Rajiv Gupta, senior vice president of cloud security at McAfee, said.
McAfee said that intercloud travel has opened up new risks. It found that collaboration facilitates the transfer of data within and between cloud services, creating a new challenge for data protection.
Almost half of the files that enter a cloud service are eventually shared and around one in ten files contain sensitive data that are shared in the cloud using a publicly-accessible link to the file, McAfee said, adding that these instances saw an increase of 111% year-on-year.
“Security that is data-centric, creating a spectrum of controls from the device, through the web, into the cloud, and within the cloud provides the opportunity to break the paradigm of yesterday’s network-centric protection that is not sufficient for today’s cloud-first needs,” Gupta added.
While 90% of CISOs (chief information security officers) said that it's their responsibility to secure data in the cloud, 30% of companies lacked staff with skills to secure their SaaS (software-as-a-service) applications, up by 33% from last year.
A recent McAfee study also said about 60% of organisations in India describe their culture towards cybersecurity as strategic, while 33% said that it is embedded.