Organizations Risk Customer PII for Cost Efficiency, Yet Are Concerned About Data Security

Due to evolving compliance regulations and growing cyber threats, data privacy is a hot topic and a subject of public concern. One issue that many organizations face today is how to secure data in the cloud. With all the benefits that the cloud provides, it is still an area they cannot fully control and where they are exposed to cybersecurity risks.

In this blog post, we will use the findings of the Netwrix 2019 Cloud Data Security Report to reveal what data organizations store in the cloud, what issues they face and what plans they have for the sensitive data they store there.

Types of Data in the Cloud

What data actually ends up in the cloud? The survey results show that every second organization stores customers’ personally identifiable information (PII) in the cloud. Although this data is extremely sensitive, organizations are ready to accept the security risk they incur by storing in the cloud, primarily for financial and efficiency reasons — specifically, to increase cost efficiency (28%) and ensure availability for remote workers (24%). However, not all data is equal: Most organizations that put PII in the cloud are not ready to risk moving financial data and intellectual property there.

Problems Organizations Face in the Cloud

Although cloud providers like Amazon and Microsoft offer more advanced security services than many organizations can afford to implement themselves, sometimes those measures are not enough to protect data stored in the cloud. Of course, moving sensitive data to the cloud does not necessarily mean you will experience a breach. However, you have less control over the data than you would have if you stored it on premises, so your security risks inevitably get higher.

Every second organization stores customers’ personally identifiable information (PII) in the cloud

Indeed, 39% of organizations that store customer data in the cloud had security incidents in the past 12 months. Several factors make organizations even more vulnerable to security incidents in the cloud. The first factor is lack of visibility into user activity around systems and data. 56% of organizations that had security incidents in the past year couldn’t identify who was to blame, which means they don’t have sufficient insight into their IT environments to conduct effective investigations, which means they can’t learn how to prevent similar incidents in the future.

56% of organizations that had cloud security incidents were not able to determine who was at fault

Another factor that affects organizations’ exposure to security risks is whether they classify data. The vast majority (75%) of those who had at least one incident in the cloud in the past year didn’t classify their data. Apparently, these organizations lack insight into what data they have migrated to the cloud and the level of sensitivity of that data, which makes it difficult for them to prioritize their security efforts and protect critical information properly.

75% of organizations that had cloud security incidents had no insight into the sensitivity level of the data in the cloud

Plans to “De-cloud”

As a result of the public concerns related to data security and privacy, legislators worldwide have been forced to add consumer privacy to their agendas. New privacy laws like the GDPR and the CCPA introduce significant restrictions for companies that process and store PII, so organizations have to change how they deal with sensitive data. Due to strict requirements regarding data subject rights and penalties for non-compliance, some might think it would be better to move PII from the cloud back on premises. In fact, when we asked organizations that store PII in the cloud whether they would consider reversing their cloud migration, 46% of them said yes. Their top reasons were data security issues (25%), lack of control (16%), and concerns about cloud reliability and performance (13%).

46% of organizations that store PII in the cloud would consider moving it back on premises, mainly for security reasons

From my perspective, I would like to ask them a couple of questions: Do you really need to leave the cloud to ensure data security? More importantly, can you guarantee that your sensitive data will be secure when you migrate it back to your on-premises storage? I am sure that it doesn’t much matter where you store your data; what’s critical is that you know what’s going on across your IT infrastructure and have sufficient controls in place to mitigate data security risks. Otherwise, you have little chance of protecting your data against internal and external threats, and even moving data out of the cloud won’t make any difference.

How to Stay Safe in the Cloud

To ensure better data protection in the cloud, you need to adopt a comprehensive approach to security that includes the following steps:

  • Identify and evaluate the risks to your data.
  • Ask your cloud service provider to add controls, such as encryption, that could strengthen security of your data.
  • Implement your own controls to ensure your customers’ PII is safe. In particular, you should monitor user activity around data and perform data classification.

I am sure that data classification is one of the most critical measures for strengthening data security. If you are considering a cloud migration, it will help you decide which data to move and which to leave on premises. If you are already in the cloud, it will help you focus your security efforts on truly important information and choose appropriate controls for different data based on its value and sensitivity.

View the 2019 Cloud Data Security Report infographics:

2019 Cloud Data Security Report Highlights