Proofpoint has announced the release of its latest study, Cloud and Web Attacks, in collaboration with The Cloud Security Alliance (CSA).
The commissioned study queried more than 950 information technology and security professionals from various organisation sizes and locations to better understand the industry's knowledge, attitudes, and opinions regarding cloud- and web-delivered threats.
The results reveal that organisations are struggling to sufficiently secure new cloud environments implemented during the pandemic, while maintaining legacy equipment and trying to adapt their overall security strategy to the evolving landscape.
“In the wake of COVID-19, organisations substantially accelerated their digital transformation initiatives to accommodate a remote workforce,” says Hillary Baron, lead author and research analyst at CSA, the world's leading organisation in defining standards, certifications, and best practices to help ensure a secure cloud computing environment.
“While these initiatives strive toward improving worker productivity, product quality, or other business objectives, there are unintended consequences and challenges because of the large-scale structural changes required. One of those challenges is developing a cohesive approach to cloud and web threats while managing legacy and on-premise security infrastructure.
As organisations continue to migrate to the cloud, reliance on third parties and partners increases, which in turn exacerbates the risk of threats through the supply chain. The Cloud and Web Attacks study shows that 81% of responding organisations are moderately to highly concerned about risks surrounding suppliers and partners, with almost half (48%) specifically concerned about potential data loss as a result of such risks. This high level of concern is entirely warranted as 58% of organisations indicated that third parties and suppliers were the target of a cloud-based breach in 2021.
The study reveals that defending data is rightfully a top concern for businesses, with 47% listing “sensitive data loss” as their most concerning outcome of cloud and web attacks. The specific types of data organisations are most concerned with are customer data, credentials, and intellectual property. 43% of organisations listed protecting customer data as their primary cloud and web security objective for 2022. Despite this, only one-third (36%) of the organisations surveyed have a dedicated Data Loss Prevention (DLP) solution in place.
“As organisations adopt cloud infrastructures to support their remote and hybrid work environments, they must not forget that people are the new perimeter. It is an organisation's responsibility to properly train and educate employees and stakeholders on how to identify, resist and report attacks before damage is done.” says Mayank Choudhary, executive vice president and general manager of Information Protection, Cloud Security - Compliance for Proofpoint.
“Cultivating a culture of security within and around your organisation coupled with the use of multiple streamlined solutions is critical to effectively protect people against cloud and web threats and defend organisational data.
Key findings from the study include:
- 47% of those surveyed listed “sensitive data loss” as their most concerning outcome of cloud and web attacks, while “paying ransom” was of least concern to respondents (10%).
- 58% had a third party, contractor, and/or partner targeted in a cloud breach.
- Organisations are concerned that targeted cloud applications either contain or provide access to data such as email (36%), authentication (37%), storage/file sharing (35%), customer relationship management (33%), and enterprise business intelligence (30%).
- Almost half of those surveyed (47%) blame dealing with legacy systems as key concern with their cloud security posture, while 37% feel they need to coach toward more secure employee behaviour.
- Only one-third (36%) of organisations surveyed have a dedicated Data Loss Prevention (DLP) solution in place. Other solutions implemented include Endpoint Security (47%), Identity Management solutions (43%) and Privileged Access Management (38%).