- Almost all organizations, 96%, have concerns about their current cloud security, according to a Sophos report of more than 3,500 IT managers globally.
- Malware or ransomware accounted for half of cloud-based cyberattacks last year. However, in the public cloud, only 30% and 31% of organizations in the U.S. were hit by malware and ransomware, respectively.
- Two-thirds of data breaches were caused by security misconfigurations, including cloud resource misconfiguration and misconfigured web application firewall. The remaining cloud-related breaches stemmed from stolen credentials for the cloud.
Most enterprises are using a public cloud yet cloud and container security strategies are lagging behind adoption. The lag is significant enough that developers and engineers bypass cloud security or compliance policies.
In an infrastructure designed around software, developers are free to configure their own infrastructure. And right now, in lockdown, developers can push provisions at odd hours, when there's no security professional to check for errors.
"While cloud platforms have been around since the early 2000s, cloud adoption is still increasing. Cloud platforms have also increased in complexity over time," John Shier, senior security advisor at Sophos, told CIO Dive. Some industries have yet to entirely embrace the cloud, fearful of data residency and workload complexity.
Similarities link traditional computing environments and the cloud, but confidence is lacking, especially when multiple clouds are necessary, according to Shier. In an INAP survey last year, 90% of respondents said they intend to have more workloads on the cloud by 2022. Seventy percent of respondents using multicloud solutions have "made management easier to some extent."
Without on-premise solutions, companies were able to make the leap to remote work nearly overnight, but vulnerabilities remain. The pandemic left industries dealing with a "kicked over hornet's nest" of cyberthreats.
Ransomware in particular has moved away from individual incidents. "No longer are ransomware gangs content with opportunistic spread. Now these criminals are much more deliberate and thorough," said Shier.
Risk mitigation is the goal. With the basic tenets of security — regular patches, multifactor authentication, software governance — companies need visibility. "Then you test your defenses, fix any issues and repeat," said Shier. As maturity grows in risk mitigation, companies could adopt active threat hunting.
However, "even after all this is done, it's still possible to fool someone into making a mistake. But at least now you'll be in a better place to rapidly respond to the issue and minimize the fallout," said Shier.