Cloud, greatest cyber risk to Indian businesses: Study

Indian businesses are facing significant challenges in adopting cloud technologies, which is hindering their ability to implement preventive cyber-defense strategies, according to a new study published on Thursday.  

The study, conducted by Forrester and commissioned by Tenable, an exposure management company, reveals that 70% of Indian cybersecurity and IT leaders view cloud infrastructure as the greatest source of cyber risk in their organisations. The perceived risks come from the use of public cloud (36%), multi-cloud (23%), and private cloud infrastructure (10%). 

With insights from 825 IT and cybersecurity professionals, the study shows that nearly two-thirds of the respondents (64%) agree or strongly agree that the cybersecurity team is too busy dealing with critical incidents to take a preventive approach to reducing their organisation's exposure. 

The study also highlights that 57% of Indian respondents believe that a lack of data hygiene in user data and vulnerability management systems prevents employees from making prioritisation decisions. Additionally, 56% of organisations spend 11 hours or more per month creating security reports for business leaders, with 46% using multi-tabbed spreadsheets to analyse data from different solutions. 

Furthermore, over 64% of Indian organisations struggle to integrate user identity and access data into preventive cybersecurity practices. While 28% hold monthly meetings on business-critical systems, 9% of organisations only meet once a year or less, indicating a need for more consistent strategic discussions on organisational security. Another challenge noted in the study is that over 80% of organisations use a third-party program for software-as-a-service (SaaS) apps and services, but only slightly over half (54%) have high visibility into third-party environments. 

The study also highlights technology challenges. While 78% of respondents consider user identity and access privileges when prioritising vulnerabilities for remediation, 64% say their organisation lacks an effective way of integrating such data into their preventive cybersecurity and exposure management practices. 

The study further reveals that 78% of respondents allocate 25 or more employees to tasks related to deploying, supporting, maintaining, and managing vendor relationships for cybersecurity tools, emphasizing the substantial human resources required for effective cybersecurity measures. 

Kartik Shahani, the country manager at Tenable India, said, "Almost everything in the cloud is one excess privilege or misconfiguration away from exposure. The intricate cloud landscape prompts organisations to resort to various tools and point solutions to counteract these threats." 

Unfortunately, this approach drains resources, leading to substantial costs as they grapple with configuring and implementing disparate products, Sahani added. 

"Effectively securing the cloud requires more than just technical proficiency; it demands a nuanced understanding of assets, vulnerabilities, and their alignment with overarching business objectives," he added.

The Tenable-Forrester study coincides with another global study published today by Enterprise Strategy Group, which also sheds light on cloud security breaches. It states that 30% of organisations reported a cyber-attack based on exploit(s) of a misconfigured cloud service, workload, security group, and/or privileged account. This common attack vector involves adversaries capitalising on different instances of human error. 

To counter these issues, researchers recommend that organisations establish documented policies around all areas related to cloud configurations, implement controls to prevent misconfigurations upon deployment, and continuously scan cloud applications and infrastructure for configuration drift, with alerts generated for all violations. Finally, organisations should run alerts through a risk scoring algorithm to help security, development, and operations teams prioritise remediation actions. 

In light of the study, Tenable recommends that CIO/CISOs overcome these cloud-based challenges by implementing an exposure management program.