Companies failing cloud security test

Organisations are failing to conduct vital due diligence on their choice of cloud computing partners

Fewer than 40 per cent of large organisations ensure that their data held by external providers is encrypted, according to research by consultants PwC - despite the fact that three-quarters of organisations make use of at least one outsourced service delivered over the internet.

These are just two of the findings of the 2012 Information Security Breaches Survey conducted by PwC in conjunction with Infosecurity Europe and released this week.

Among small organisations, 56 per cent do not carry out any due diligence on external providers' security and rely instead on contracts and contingency plans.

"Small businesses may think that because their data is being hosted by a large cloud provider that good security controls will be in place, but this isn't necessarily the case. Companies should always check what security controls their providers are operating," said Chris Potter, information security partner at PwC.

About one-quarter of large organisations and one-fifth of small ones host highly confidential data on the internet - with website, email and payment services the most commonly used cloud services. Half of organisations of national importance, including financial services, telecoms and utilities, depend on them.

However, many small businesses rely only on a contingency plan to move the outsourced service if problems arise. Yet, one-third of contingency plans to deal with systems failure and data corruption will prove ineffective, claims PwC. The survey indicates a strong correlation between the effectiveness of contingency plans and the seriousness of breaches: when contingency plans do work, less than half of the incidents were serious; when the plans failed, four-fifths were serious.

The biggest shortcoming in contingency planning relates to infringement of laws and regulations, where only one-fifth of affected organisations had a contingency plan. Some 45 per cent of large organisations have breached data protection laws in the past year.

"Too many contingency plans are currently ineffective. Organisations should be frequently stress-testing their plans, especially because the survey shows a direct correlation between contingency planning and the severity of breaches. Rather than relying on contingency plans, organisations would be in a much more powerful position if they were to secure their data in the first place," said Potter.