Security of data on cloud “left to chance” states PwC survey

Although three quarters (73%) of organisations are using at least one outsourced service over the Internet, only 38% of large organisations ensure that data being held by external providers is encrypted.

Furthermore, more than half (56%) of small businesses surveyed don’t carry out any checks on their external providers’ security and rely instead on contracts and contingency plans.

These are but some of the worrying preliminary findings from the 2012 Information Security Breaches Survey written by PwC in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills. The results will be revealed in full at the Infosecurity Europe show in London this coming Tuesday following a keynote speech by business, innovation and skills minister David Willetts.

Speaking about the survey results, Chris Potter – PwC’s information security partner – explained: “The Internet continues to facilitate more sophisticated business relationships. Businesses are putting their faith in third parties to take care of their data, but many are taking a laissez faire attitude to the security element. Not only are they often completely leaving the security controls to third parties, but they’re not actually checking what controls those third parties have in place.”

Potter added: “Small businesses may think that because their data is being hosted by a large cloud provider good security controls will automatically be in place, but this isn’t necessarily the case. Companies should always check what security controls their providers are operating.”

Confidential data hosted on the Internet

Around a quarter of large organisations and one-fifth of small ones have extremely confidential data hosted on the Internet, with website, e-mail and payment service provision the most commonly used cloud services.

Half of organisations of national importance, such as those in the financial services, telecommunications and utilities sectors critically depend on them.

Many small businesses rely only on a contingency plan to move the outsourced service if there are issues, yet a third of contingency plans to deal with systems failure and data corruption prove ineffective.

The PwC survey shows a strong correlation between the effectiveness of contingency plans and the seriousness of breaches. When contingency plans do work, less than half the incidents were serious. When those plans failed, four-fifths were serious.

The biggest ‘blind spot’ in contingency planning is the infringement of laws and regulations, where only a fifth (18%) of affected organisations had a contingency plan.

Further to this, 45% of large organisations breached data protection laws in the last year and this happened at least once a day at one-in-ten of them.

Failures of people, process and technology

After the most serious breaches, organisations improved their processes and technology and also trained their people. This reinforces the evidence that the worst security breaches are due to multiple failures in a combination of people, process and technology.

Chris Potter stated: “Too many contingency plans are currently ineffective. Organisations should be frequently stress-testing their plans, especially because the survey shows a direct correlation between contingency planning and the severity of breaches.”

In conclusion, he urged: “Rather than relying on contingency plans, organisations would be in a much more powerful position if they were to secure their data in the first place.”

Inadequate security on mobile phones and tablets exposes UK businesses to “massive risk”

The same PwC survey shows that organisations large and small are failing to respond to the culture of employees using their own mobile devices for work and are opening up their systems to security risks.

Some 75% of large organisations (and 61% of small businesses) allow staff to use smart phones and tablets to connect to their corporate systems and yet only 39% (24% of small businesses) apply data encryption on the devices.

A substantial 82% of large organisations (and 45% of small businesses) reported security breaches caused by staff and 47% (20% of small businesses) lost or leaked confidential information, in turn showing this is not a threat they can ignore.

The survey shows that personalisation is creating new security threats from both malicious software and data loss. Organisations that allow personally owned devices tend to have weaker controls than those that allow corporate devices only.

“With the explosion of new mobile devices and the blurring of lines between work and personal life,” said Chris Potter, “organisations are opening their systems up to massive risk. Smart phones and tablet computers are often lost or stolen, with any data on them exposed. Mobile devices can literally drill straight through your security defences if you’re not careful.”

Not responding to the challenges

Seemingly, organisations aren’t responding to these new challenges.

“Just as we saw a decade ago with computer viruses,” explained Potter, “companies are slow to adjust their controls as technology usage changes. It’s vital to tell your staff about the risks. If you don’t, your own people could inadvertently become your worst security enemy. It’s clear how important smart phones and tablets have become but, as confidential data is increasingly stored on them, the chance of data breaches increases.”

Alarmingly, 54% of small businesses (and 38% of large ones) don’t have any kind of programme for educating their staff about security risks. Only 26% of respondents with a security policy believe their staff have a very good understanding of it while 21% think the level of staff understanding is poor. Indeed, 75% of organisations whose security policy is poorly understood had staff-related security breaches in the last year.

One-in-seven organisations that give a high or very high priority to security haven’t written down their policy. Most of these are small businesses that rely on word of mouth instead, but only a third think their staff fully understands it. Those companies that have invested in staff awareness training, meanwhile, are reaping the benefits – they are four times as likely to have staff who clearly understand the security policy and half as likely to have staff-related security breaches as organisations that don’t train their staff.

“Setting out your security is essential to ensure staff know what risks to look out for, how to handle data appropriately and what to do if a breach occurs,” outlined Potter. “The root cause of security breaches by staff is often a failure by organisations to invest in educating those members of staff about security risks. Yet organisations are failing to promote a culture of security awareness so staff are often unaware of the risks they’re posing.”

Ignorance rather than malice

Often, breaches occur through ignorance rather than malice. Possession of a security policy by itself does not prevent breaches – staff need to understand it and put it into practice.

“The survey results show a clear payback from security awareness programmes,” said Potter. “Education leads to greater understanding which in turn leads to fewer breaches. Unfortunately, the survey results also show that it often takes a serious incident before companies train their staff.”

The survey suggests that, with their increasing dependence on social networking sites, organisations are targets. Half of the organisations surveyed say they think social networking sites are important to their business, which is up from only a third two years ago. However, controls aren’t keeping pace. For example, only 8% of small businesses (and 13% of large ones) monitor what staff post onto social networking sites.

“Given how important social networks have become over the last few years, it’s surprising how little the control techniques used have changed,” suggested Potter. “Large organisations – especially in the financial services arena – rely on blocking social media sites rather than monitoring their use, while half of small businesses don’t even have basic web blocking and logging software.”

Potter added: “Companies are now much more dependent on the relatively anarchic information flows within social networks. Above all, dependence on the Internet is at an all-time high, which organisations often find out the hard way. Many are opening up their systems but doing little to mitigate the risks.”