April 20, 2012 - Most organizations are now using cloud computing in one form or another, yet businesses are omitting to check out the security controls surrounding their data.
- Only 38% of large organizations ensure that data held by external providers is encrypted
- 56% of small businesses don't check their external provider's security
- Half of organizations of national importance use cloud for business critical data
These are some preliminary findings from the 2012 Information Security Breaches Survey (ISBS) written by PwC in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills. The results will be revealed in full at Infosecurity Europe on 24 April following a speech by BIS minister David Willetts in the keynote theatre.
Although three-quarters (73%) of organizations are using at least outsourced service over the Internet, only 38% of large organizations ensure that data being held by external providers is encrypted. Furthermore, 56% of small businesses don't carry out any checks of their external providers' security and rely instead on contracts and contingency plans.
"The Internet continues to facilitate more sophisticated business relationships. Businesses are putting their faith in third parties to take care of their data but many are taking a laissez faire attitude to the security element. Not only are they often completely leaving the security controls to third parties, they are not actually checking what controls those third parties have in place," said Chris Potter, PwC information security partner. "Small businesses may think that because their data is being hosted by a large cloud provider that good security controls will be in place, but this isn't necessarily the case. Companies should always check what security controls their providers are operating."
Around a quarter of large organizations and one-fifth of small ones have extremely confidential data hosted on the Internet - with website, email and payment service provision the most commonly used cloud services. Half of organizations of national importance, such as financial services, telecommunications and utilities, critically depend on them.
Many small businesses rely only on a contingency plan to move the outsourced service if there are issues. Yet, a third of contingency plans to deal with systems failure and data corruption prove ineffective. The survey shows a strong correlation between the effectiveness of contingency plans and the seriousness of breaches. When contingency plans do work, less than half the incidents were serious; when the plans failed, four-fifths were serious.
The biggest blind spot in contingency planning is the infringement of laws and regulations, where only a fifth (18%) of affected organizations had a contingency plan. Further to this, 45% of large organizations breached data protection laws in the last year and this happened at least once a day at one in ten of them. After the most serious breaches, organizations improved their processes and technology and also trained their people. This reinforces the evidence that the worst security breaches are due to multiple failures in a combination of people, process and technology.
"Too many contingency plans are currently ineffective," said PwC's Chris Potter. Organizations should be frequently stress-testing their plans, especially because the survey shows a direct correlation between contingency planning and the severity of breaches. Rather than relying on contingency plans, organizations would be in a much more powerful position if they secure their data in the first place."