Yesterday the latest security report from Verizon was released, with some much-expected statistics around hacktivism and security breaches. As it relates to cloud, the statistics are already hinting about where organizations need to focus.
Some of the key points are that internal breaches have been reduced significantly (hopefully through corporate security education), and physical attacks account for around 10% of all breached records.
But the really staggering statistic is around breaches themselves. 97% of them were avoidable had simple security measures been in place. 97 percent! 96% of the victims were required to comply with PCI DSS guidelines but sadly didn’t meet the requirements.
So what all this mean as it relates to cloud? It means that if breaches are still happening and that if requiring compliance to PCI isn’t stopping it, cloud isn’t going to help. As organizations start pushing content to the cloud, security will be even more important as hacktivists are scanning all web-facing content for potential victims. There is no longer a “we’re not big/important enough to be a victim” excuse. Cloud is going to make everything more available, and make security trickier to manage.
So what can organizations do to help reduce this risk? First thing is to make sure that you know where your data is. If you don’t know what you have, you don’t know what to protect.
Second, look for weaknesses in your security posture. There are so many great tools out there to help identify these, such as Qualys etc.
Third, if you have anything facing the web, invest in security. Web Application Firewalls (WAF), Cloud DDoS, and perimeter security tools. If you don’t have the internal expertise to manage these controls, look to service providers to manage it for you.
You can also look at migrating your important data to a cloud provider who meets the compliance requirements applicable to your organization. This saves you the headache of going through all the rigor of audits and remediation. Outsourcing is a great resource for this, and very cost effective for mid/small organizations who just want to focus on their business.
In 5 years I am sure this type of report is going to shift dramatically towards cloud attacks and mobile technology attacks. The best thing organizations can do is to use these as a guide to secure their environment, or reach out to someone who can offer security as a service.
To read the full report, visit www.infoworld.com