The IDG study on Cloud Security 2021, sponsored by Airlock among others, shows that one in three companies has already suffered economic damage from cloud attacks in the last twelve months, with 57% reporting an increase in security incidents. It is all the more surprising that the majority of these companies have not allocated any additional budget for cloud security, although overall the security budget has been increased at 72% in 2021.
A look at the technical precautions that companies have taken with regard to cloud security reveals great potential for optimization. For example, only 36.4% of companies have so far implemented improved password management and 35.5% improved access control (IAM). The introduction of a zero trust model has even already happened in only 19.9% of the companies surveyed.
Existing applications are being converted for microservice architectures in 27.7% of the companies surveyed, and a further 47.9% are planning to do so.
With regard to the cloud solutions used, the private cloud dominates in all company sizes. When choosing cloud services, avoiding vendor lock-in is a very important criterion for 83.5% of the companies surveyed.
Below you will find a brief summary of the key findings of the cloud security study. You can also download the entire study.
Majority of companies have no additional budget for cloud security
Only 39 percent increase the security budget when IT solutions are transferred from on-premises to the cloud. Ten percent even reduce the security budget when migrating to the cloud.
Cloud attacks lead to business interruptions
One in three companies has suffered damage from cloud attacks in the last twelve months. Business interruptions and downtime were particularly common.
Offices are considered more secure than remote workplaces
60 percent of companies consider office workplaces to be secure or very secure; this assessment drops to 49 percent for remote workplaces. Five percent consider remote work to be insecure or shr insecure, compared with four percent for office workplaces.
Cloud administration more important than data protection
For 91 percent, the ease of administration of cloud services is important or very important. The conformity of the cloud with the EU Data Protection Regulation is rated accordingly by 79 percent, the cloud location Germany by only 75 percent.
Security by default is still the exception in cloud projects
Only one in three companies involves internal security experts right at the start of a cloud project. Fifteen percent of companies only involve security during the implementation of cloud services.
Encryption and policies should ensure cloud security
39 percent of companies pay particular attention to encrypted data transfer to and from the cloud provider, and 38 percent to cloud policies for the use of cloud solutions and access devices when it comes to cloud security.
Cloud provider is considered the most important security partner
43 percent of enterprises work with their cloud provider on security issues. External SOCs are used by 34 percent for cloud security measures, 30 percent rely on managed security service providers (MSSPs).
Data theft is biggest cloud risk, data protection biggest cloud advantage
For 36 percent of companies, data theft is the biggest security risk in cloud computing, while 39 percent say the higher level of data protection is the biggest advantage of the cloud compared to on-premise IT.
Cloud Security Study
You can read all the study results, further analyses and exciting insights in the detailed version of the study.
You can also expect an exclusive insight into the CIO Agenda 2021 and learn how IT decision-makers are shaping business in the present and the future.
Many companies have yet to realize the true value of cloud security
Companies are hoping for cost savings from the cloud. However, these should not be sought in security. Instead, cloud security needs to be put on a firmer footing - with security processes that accompany cloud projects right from the start. Otherwise, there is still a risk of business interruptions and data loss.
But it is not only the fact that the cloud is not yet sufficiently included in the security budget that indicates that the importance of cloud security is still underestimated, despite all the assurances of how important data protection and data security are for the decision "pro cloud". Security by default and security by design must become much more prominent in the minds of all companies that want to benefit from the advantages of the cloud - all the more so if security and data protection are seen as cloud advantages.
Security experts see errors in cloud administration and cloud configuration as the basis for most cloud security incidents. So if companies identify ease of administration as the most important criterion when choosing a cloud service and cloud provider, this also helps cloud security. However, this is not done consciously, as faulty cloud configurations are not seen as the biggest cloud risk, according to the study.
Apparently, many companies do not yet see all the dependencies in the cloud and the consequences for cloud security. If they were more aware of this, they would also better understand why cloud security is so extensive and complex. Then the value of a secure cloud would also be more visible.
For the future, it would be desirable to address cloud security more comprehensively and give it the necessary weight and budget. To this end, the internal security forces should be given greater responsibility for cloud security. The management, the IT boards and the IT managers alone will not be able to make the necessary decisions here.