Top 5 security predictions for the pace of cloud
As we look back across 2019, organisations saw a tremendous increase in not only the use of cloud for business, but the valuation of the data and applications hosted in the cloud. According to Oracle and KPMG’s annual Cloud Threat Report for 2019, seven out of ten indicated they use more business-critical cloud services than in 2018.
By Greg Jensen, Senior Principal Director, Security, Cloud Business Group, Oracle
Businesses have been utilising cloud services in their business for years, but only recently have we seen a remarkable shift to the growth of business-critical data and services in the cloud.
While this is great for organisations that seek to reduce their costs and increase their capabilities for customers and employees, the fast-paced nature of some cloud initiatives is creating unnecessary risk combined with the real world challenges of today’s business.
Prediction #1: The Increasing frequency of incidents will drive change in the boardroom
With less than half of global companies sufficiently prepared for a cyber attack, according to PricewaterhouseCooper, business leaders are looking within the boardroom to better understand how cyber risk, privacy and data protection is now a 'distributed responsibility' for the c-suite.
CEOs now play a central role in ensuring the entire c-suite is playing a role in reducing risk and ensuring data/privacy protections. No longer is it solely the domain and responsibility of the CISO or the IT department.
In fact, more and more businesses are leveraging BISOs (Business Information Security Officers) as a business focused leader with an eye for security and privacy within the line of business.
Prediction #2: The top at-risk industries will see a disproportionate frequency of cyber attacks
While there are other industries that see more attacks on an annual basis, there are industries that are less prepared with a higher value of data and this increases their risk. Healthcare tops out the list followed by manufacturing, finance, government and utilities. It is expected that the healthcare industry will see a four times increase in ransomware attacks from 2017 to 2020, according to Cybersecurity Ventures.
Manufacturing risk is centred around supply chain compromises while finance is dealing with increased cases of financial fraud and theft. Some industries are fighting back with increased investments in cyber resiliency programmes. The US now spends more on cyber security activities ($15bn) than the overall defence spending of Norway and North Korea combined.
Prediction #3: Supply and demand shortages for cyber security positions will reach a critical mass
There are changing dynamics in the tech sector including the expansion of opportunities to women and growth of roles overseas. The challenge for the cyber security sector is not availability of positions, it’s the ability to fill them with qualified staff. Oracle predicts there will be nearly three million unfilled security positions in 2020, and climbing. Cyber security has held the title of zero-percent unemployment since 2011, according to Monster.com, and Oracle sees no change on the horizon.
One of the many drivers of organisations shifting services to the cloud is to overcome this obvious talent shortfall. Over 90% of organisations cite that cloud can provide as-secure, or more-secure capabilities, than they can provide in their own data centre.
Complicating things further, analysts can make up to 3.5x more per year as a 'bug hunter' than working to defend against the flaw. While many will struggle to fill their reqs with qualified staff, others will take advantage of the experienced staff on hand with the average cloud service provider to solve these shortcomings.
Prediction #4: Every employee will be personally attacked in an effort to exploit corporations
In 2019, FireEye reported that 91% of cyber attacks leveraged a phishing attack on the front end of the attack chain. This is critical to note as it highlights the growing trends in attackers targeting employees by scouring public career pages to understand reporting structures and roles, and then perform targeted phishing attacks (spear-phishing) to exploit application/data owners or even executive management.
With training as a top area of spend, much of this increased spending is designed to help counter the top area of risk: employees who knowingly or unknowingly expose the business. Attackers are finding numerous ways to exploit the privileged user and exploit financial, HR and supply chain systems.
This includes theft of credentials directly via cloned business services, or repurposed stolen consumer credentials that often share a password with the same business user.
Prediction #5: Rate of cloud adoption will drive new strategic imperatives to mitigate risk
In war, you can’t easily defend the sky with ground troops. Same in IT, as cloud defence takes a different approach than the enterprise. Most have shifted into cloud with only a bare foundation of security controls such as identity management, but lacked the overlapping layers of security that must be carried into the cloud.
According to the Oracle and KPMG Cloud Threat Report, only 10% of organisations are able to collect, analyse and respond to the majority of their security event telemetry. 93% are dealing with cloud application use that is not in line with corporate guidelines and policies with sensitive business data.
Security teams are up against hundreds of cloud services that are either free or acquired via a credit card, that can be onboarded and in use with sensitive business data without any knowledge or awareness of the security and risk teams. This ability to deploy cloud faster than organisations can implement security and risk programmes creates a strategic imperative around risk.
These predictions highlight what many organisations will experience in 2020 when they focus only on secure strategies, and not placing a greater focus on the inclusion of a security-minded culture.