The 2021 Thales Global Cloud Security Study, commissioned by Thales and conducted by 451 Research, reports that 40% of organizations have experienced a cloud-based data breach in the past 12 months. Despite these incidents, the vast majority (83%) of businesses still fail to encrypt half of the sensitive data they store in the cloud. 

According to the study, one-fifth (21%) of businesses host most of their sensitive data in the cloud, while 40% reported a breach in the last year. The study found some common trends as to where companies turn when considering how to secure their cloud infrastructure, with 33% report multi-factor authentication (MFA) as a central part of their cybersecurity strategy. However, only 17% of those surveyed have encrypted more than half of the data they store in the cloud. This figure drops to 15%, where organizations have adopted a multi-cloud approach.

Large numbers of organizations fail to protect their data sufficiently with encryption, limiting potential access points becomes even more critical. Thirty-four percent of organizations leave the control of keys to service providers rather than retain control when protecting their data with encryption. Nearly half (48%) of business leaders globally admitted their organization does not have a zero trust strategy, and a quarter (25%) aren’t even considering one.

In addition, the study found some common concerns in businesses about the increasing complexity of cloud services, with half (46%) of global respondents claiming managing privacy and data protection in the cloud is more complex than on-premises solutions.

Hybrid models are standard with many organizations not moving entirely to the cloud, with 55% of businesses indicating a preference for a ‘lift & shift’ approach to cloud adoption over re-architecting, as the cloud becomes a more integrated part of the business infrastructure.

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, says, “These findings are yet another reminder that as organizations transition to cloud services, which has accelerated as a result of the pandemic, you simply cannot treat cloud services the same as traditional on-premise services. This is especially true for security. Organizations adopting cloud services must also adopt a cloud security strategy designed to reduce the risks of cloud assets, such as data encryption, multi-factor authentication (MFA) and privileged access security. 

Carson adds, “Cybercriminals and nation-state attackers are targeting cloud services more than ever before, and consequently, organizations must prioritize cloud security to make it difficult for attackers to be successful. Cloud services typically have modern security by design; however, while it is by design, it is also off by default. Therefore, organizations must evaluate what security is available and ensure they move to security by default.”