Three quarters of New Zealand businesses leave half the sensitive data they store in the cloud unencrypted, according to a new global cloud security study.
Fifty-one per cent of Australian organisations and 43 per cent of New Zealand ones also reported they had experienced a cloud-based data breach in the past 12 months, according to the 2021 global cloud security study from French multinational Thales.
Despite increasing cyber-attacks, 92 per cent of Australian and 75 per cent of New Zealand of businesses were still failing to encrypt even half of the sensitive data they store in the cloud.
Where businesses protect their data with encryption, 33 per cent of Australian organisations and 28 per cent of New Zealand ones mostly leave the control of keys to service providers rather than retaining control themselves. Only 15 per cent of Australian organisations and 10 per cent of New Zealand ones retain total control of these keys.
Companies globally have accelerated their cloud adoption as a result of the COVID-19 pandemic. This marked a significant shift in the use of cloud-based solutions, from being purely data storage to environments in which data is used transactionally and to support day-to-day operations.
In A/NZ, 20 per cent of Australian and 22 per cent of New Zealand organisations flagged that the majority of their workloads and data now resided in the cloud.
Given the speed of that migration, cloud security is becoming key. According to the study, 26 per cent of Australian and NZ businesses reported the majority of the data stored in the cloud was sensitive.
To secure their cloud infrastructure, Australian businesses turned to encryption (74 per cent) followed by tokenisation or data masking (69 per cent), key management (60 per cent) and multi-factor authentication (MFA) 47 per cent.
The top three security technologies New Zealand businesses use, meanwhile, were key management (69 per cent), encryption (59 per cent) and MFA (53 per cent).
Sixty-six per cent of Australian and 75 per cent of NZ organisations do not have a "zero trust" security strategy and a around quarter are not even considering one. Zero Trust is a new mode for cyber security applied in addition to traditional perimeter security. It requires all users, whether inside or outside the network, to be authenticated, authorised, and continuously validated.
In Australia, 62 per cent of respondents claimed managing privacy and data protection in the cloud was more complex than on-premise solutions while this measure was slightly lower in New Zealand at 53 per cent.
“Organisations in Australia and New Zealand like their counterparts across the globe are struggling to navigate the increased complexity that comes with greater adoption of cloud-based solutions," said Brian Grant, A/NZ director at Thales.
A robust security strategy was essential to ensuring data and business operations remain secure, he said.
"With nearly every business reliant on the cloud to some extent, it is vital that security teams have the ability to discover, protect, and maintain control of their data.”
Fernando Montenegro, principal research analyst, information security at 451 Research, which conducted the study, said organisations should strongly consider reviewing their strategies and approaches to proactively protect data in cloud.
"This includes understanding the role of specific technologies including encryption and key management, as well as the shared responsibilities between providers and their customers," he said. "As data privacy and sovereignty regulations grow, it will be paramount that organisations have a clear understanding of how they remain responsible for data security and make clear decisions about who is in control and who can access their sensitive data”
Paris-based Thales, which works across a wide range of sectors including security, defence, infrastructure and aerospace, reported New Zealand revenues of $13.2 million for the year ended 30 December 2020. All of its local revenues were from civil customers rather than from defence.
In April 2019, Thales acquired cyber-security company Gemalto, but the Commerce Commission put some conditions on the local end of that deal
The 2021 cyber security study included the viewpoints from more than 2600 executives in 16 countries with responsibility for or influence over IT and data security. Organisations interviewed represented a range of industries, with a primary emphasis on healthcare, financial services, retail, technology, and government.
The survey was conducted in January and February, 2021.