Skyhigh Networks, a cloud security product vendor, did an analysis of data from government employees on cloud service usage.
They say that the average public sector organization uses 742 cloud services, of which 60 are sanctioned. That means that typical organization uses 682 services that no one has looked at the security of – or approved the usage for government data – even though there are laws that make this practice illegal.
Skyhigh analyzed 10,000 cloud services and found that only 10% of them encrypt their data at rest. The rest are waiting to be the next Office Of Personnel Management.
Only 15% support two factor authentication – one of the particular hot buttons addressed by Executive Branch CIO Tony Scott in the cyber-security “sprint” after the OPM breach.
And only 6% have an ISO 27001 security certification.
The report has a number of additional data points, but I will highlight only one more –
They did a survey with the Cloud Security Alliance and found that 7% of the IT and IT security professionals said that their organization had experienced an insider threat incident in the last 12 months. However, looking at anomaly detection data, 82% of the organizations had behavior indicative of an insider threat in the last quarter alone.
What this means is that 75% of the organizations are clueless that their data may be being stolen. That is not a great stat.
While this study is geared around the government, the private sector is probably not a lot better. In many organizations, when it comes to the cloud, they just look the other way and cross their fingers. It is just a matter of time before one of the big cloud providers gets hacked. If successful, the hackers get a treasure trove from thousands or millions of companies.
Skyhigh’s press release can be found here.