Digital sovereignty found to be front of mind for New Zealand cloud users.

Brian Grant (Thales) Credit: Supplied

A security study by French tech giant Thales has found more than two thirds of Kiwi businesses experienced a cloud breach in the last year.

In total, 67 per cent of the 53 local respondents reported such a breach, up massively from the 38 per cent reporting them last year.

In contrast, Thales reported 39 per cent of global respondents and 37 per cent of Australian ones suffered such a breach in their cloud environments in the same period.

However, it was human error rather than malicious activity that was was the leading cause of cloud data breaches. Such errors were reported by 38 per cent of the Kiwi organisations surveyed while globally it was the cause in 55 per cent of cases.

Thales latest annual assessment of cloud security threats also found the breaches were happening while the level of sensitive data stored in the cloud was also increasing dramatically.

Seventy per cent of local businesses (75 per cent globally) reported that more than 40 per cent of their data stored in the cloud was classified as sensitive, compared to 57 per cent last year.

“New Zealand is home to a dynamic multicloud landscape," said Brian Grant, regional director Australia and New Zealand at Thales cloud security. "As organisations continue their digital transformations, more and more sensitive data will move to the cloud. This data remains the responsibility of the enterprise customer and not the cloud service provider.

"Ultimately, if businesses and their executive leadership team do not take action to embed effective data security in their cloud environment, the consequence can be catastrophic.

“While cloud environments offer many benefits, the reality is that they are complex; it takes only one small oversight to open the door to a skilled attacker."

Forty-seven per cent of the NZ respondents ranked software as a service (SaaS) applications as the leading target for hackers compared with 38 per cent globally. This was closely followed by data in motion, at 44 per cent.

Thales said identity and access management was a crucial measure in mitigating data breaches. The adoption of robust multi-factor authentication in New Zealand had risen to 66 per cent, indicating progress in fortifying access controls.

However, despite the reported increase in sensitive data in the cloud, the study found low levels of encryption being used by New Zealand businesses.

Less than a fifth (17 per cent) of local IT professionals reported that more than 60 per cent of their sensitive data in the cloud was encrypted compared with 22 per cent globally. On average, only 45 per cent of cloud data was currently encrypted globally.

The study also found a lack of control over encryption keys by businesses, with only six per cent of the NZ organisations surveyed reporting they controlled all the keys to their encrypted data in their cloud environments compared with 14 per cent having such control globally.

In addition, 64 per cent said they had five or more key management systems – creating increased complexity when securing sensitive data.

The adoption of multi-cloud continued to surge globally, with 79 per cent of organisations reporting they used more than one cloud provider.

The use of SaaS apps is also on the rise. In 2021, just four per cent of respondents reported their enterprises used over 100 different SaaS applications, while in 2023 this percentage increased to 19 per cent.

Almost two thirds (64 per cent) expressed that managing data in the cloud is more complex than in on-premises environments – up from 45 per cent compared to the previous year.

Digital sovereignty was also front of mind for New Zealand respondents. Nine in ten (89 per cent) expressed concerns over data sovereignty, and 64 per cent agreed that data privacy and compliance in the cloud has become more difficult.

Surprisingly, only 40 per cent of Kiwi organisations have implemented zero trust controls in their cloud infrastructure, and an even fewer, 38 per cent, use such controls within their cloud networks.

Respondents represented a broad range of organisational sizes, with the majority ranging from 500 to 10,000 employees. The survey was conducted in November and December 2022.

“Data encryption, data access control and data-at-risk alerts are three essential security measures every organisation should have in place if they are to successfully leverage the cloud while ensuring the integrity and confidentiality of their valuable information," Grant said.