New Study: IT Pros Are More Worried About Corporate Security than Home Security
- IT professionals are 3X more concerned about the security of company financials and intellectual property than their home security
- 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products
- Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year
- Only 8 percent of IT security executives state that they fully understand the cloud shared responsibility security model
- 87 percent of IT professionals see AI/ML capabilities as a “must-have” for new security purchases
Data security is creating fear and trust issues for IT professionals, according to the third-annual Oracle and KPMG Cloud Threat Report 2020. The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business.
Data Security is Keeping IT Professionals Awake at Night
Demonstrating the fear and trust issues experienced by IT professionals, the study found that IT professionals are more concerned about the security of their company’s data than the security of their own home.
- IT professionals are 3X more concerned about the security of company financials and intellectual property than their home security.
- IT professionals have concerns about cloud service providers; 80 percent are concerned that cloud service providers they do business with will become competitors in their core markets.
- 75 percent of IT professionals view the public cloud as more secure than their own data centers, yet 92 percent of IT professionals do not trust their organization is well prepared to secure public cloud services.
- Nearly 80 percent of IT professionals say that recent data breaches experienced by other businesses have increased their organization’s focus on securing data moving forward.
Legacy Data Security Approaches Leave IT Professionals Playing Whac-A-Mole
IT professionals are using a patchwork of different cybersecurity products to try and address data security concerns, but face an uphill battle as these systems are seldom configured correctly.
- 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products.
- Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
- 59 percent of organizations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
- The most common types of misconfigurations are:
- Over-privileged accounts (37 percent)
- Exposed web servers and other types of server workloads (35 percent)
- Lack of multi-factor authentication for access to key services (33 percent)
Shifting Responsibility: Causing More Confusion and More Security Breaches
Organizations are moving more business-critical workloads to the cloud than ever before, but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. This confusion has left IT security teams scrambling to address a growing threat landscape.
- Nearly 90 percent of companies are using software-as-a-service (SaaS) and 76 percent are using infrastructure-as-a-service today (IaaS); 50 percent expect to move all their data to the cloud in the next two years.
- Shared responsibility security models are causing confusion; only 8 percent of IT security executives state that they fully understand the shared responsibility security model.
- 70 percent of IT professionals think too many specialized tools are required to secure their public cloud footprint.
- 75 percent of IT professionals have experienced data loss from a cloud service more than once.
It’s Time to Build a Security-First Model
To address increasing data security concerns and trust issues, cloud service providers and IT teams need to work together to build a security-first culture. This includes hiring, training, and retaining skilled IT security professionals, and constantly improving processes and technologies to help mitigate threats in an increasingly expanding digital world.
- 69 percent of organizations report their CISO reactively responds and gets involved in public cloud projects only after a cybersecurity incident has occurred.
- 73 percent of organizations have or plan to hire a CISO with more cloud security skills; over half of organizations (53 percent) have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business.
- 88 percent of IT professionals feel that within the next three years, the majority of their cloud will use intelligent and automated patching and updating to improve security.
- 87 percent of IT professionals see AI/ML capabilities as a “must-have” for new security purchases in order to better protect against things like fraud, malware and misconfigurations.
Supporting Quotes
“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks. Positive progress is being made, though,” said Steve Daheb, Senior Vice President, Oracle Cloud. “Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”
“In response to the current challenging environment, companies have accelerated the movement of workloads, and associated sensitive data, to the cloud to support a new way of working, and to help optimize cost models. This is exposing existing vulnerabilities and creating new risks,” said Tony Buffomante, Global Co-Leader and U.S. Leader of KPMG LLP’s Cyber Security Services. “To be able to manage that increased threat level in this new reality, it is essential that CISOs build security into the design of cloud migration and implementation strategies, staying in regular communication with the business.”
This year’s report is the first in a 5-part series, with follow-on reports offering insights into research findings on central cloud security topics, including:
- Demystifying the cloud security shared responsibility model
- The business impact of the modern data breach
- Addressing cyber-risk and fraud in the cloud
- The mission of the cloud-centric CISO
Additional Resources
- Download the Oracle and KPMG Cloud Threat Report 2020
- Learn more about Oracle Cloud Security
- Learn more about KPMG Cyber Security Services
- Connect with Oracle Cloud Security on Twitter, Facebook and via Oracle Cloud Security Blog
- Connect with KPMG on Twitter and LinkedIn
Methodology
The data presented in this report was collected via a broad online survey conducted by Enterprise Strategy Group of 750 cybersecurity and IT professionals from private- and public-sector organizations in North America (US and Canada), Western Europe (UK and France), and Asia-Pacific (Australia, Japan, and Singapore) between December 16, 2019 and January 16, 2020. To qualify for this survey, respondents were required to be responsible for evaluating, purchasing, and managing cybersecurity technology products and services and to have a high level of familiarity with their organization’s public cloud utilization. All respondents were provided an incentive to complete the survey.
About Oracle
The Oracle Cloud offers a complete suite of integrated applications for Sales, Service, Marketing, Human Resources, Finance, Supply Chain and Manufacturing, plus Highly Automated and Secure Generation 2 Infrastructure featuring the Oracle Autonomous Database. For more information about Oracle (NYSE: ORCL), please visit us at www.oracle.com.
About KPMG LLP
KPMG is one of the world’s leading professional services firms, providing innovative business solutions and audit, tax, and advisory services to many of the world’s largest and most prestigious organizations. KPMG is widely recognized for being a great place to work and build a career. Our people share a sense of purpose in the work we do, and a strong commitment to community service, inclusion and diversity, and eradicating childhood illiteracy. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities. KPMG LLP is the independent U.S. member firm of KPMG International Cooperative (“KPMG International”). KPMG International’s independent member firms have 219,000 professionals working in 147 countries and territories. Learn more atwww.kpmg.com/us.
Trademarks
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.