Only 5% of organizations protect credentials

In order to find the riskiest industries in the cloud, CloudLock analyzed 10 million users, 1 billion files, and over 91,000 applications, focusing on and breaking down risk in the Retail, Manufacturing, Healthcare, Financial Services, K-12, Higher Education, Government, and Technology industries.


In the Technology industry, adoption of cloud technologies, as well as security awareness, is notably higher than that of other industries, with 83 percent of technology firms deeming excessive sharing a top cyber security concern.

Every organization shares five primary cloud cybersecurity concerns, regardless of what industry it is in: account compromise, Cloud Malware, Excessive Data Exposure, Over-exposed PII and PCI data, and collaboration. On average, only 5 percent of organizations take active steps towards protecting credentials, which include attempts to identify instances of exposed credentials in public cloud environments.

Excessive sharing

When it comes to excessive sharing, 83 percent of Technology organizations are concerned with ensuring access permissions to sensitive data are granted appropriately. This is followed by K-12 (77 percent), Financial Services (75 percent), Healthcare (72 percent) and Manufacturing (70 percent). Notably less focused on excessive sharing are Retail (66 percent), Government (60 percent) and Higher Ed (59 percent).

PII & PCI exposure

Surprisingly, the Manufacturing industry showed, on average, the least concern for ensuring access permissions are granted appropriately for PII such as users’ Social Security Numbers, IDs, dates of birth, etc., (27 percent) and PCI (39 percent). Only 10 percent of Technology firms are focused on protecting PII, but 41 percent are concerned with PCI. Higher Ed is the most concerned with protecting PII (77 percent) and PCI (61 percent), with the huge database of student records, as well as credit card and banking information tied to large spending areas such as tuition, administrative and research funds.

Highest concentrated exposure of risk

A whopping 99 percent of files in the Financial Services industry that are exposed to the general public, meaning they are accessible to anyone with a link, or searchable via search engines, can be attributed to exposure by only one percent of its users. This is followed by Higher Ed (84 percent), Government (80 percent), K-12 (78 percent), Manufacturing (77 percent) and Retail (76 percent). The Technology industry had the least concentrated exposure of risk, with only 68 percent of files that are exposed publicly are by that of the top one percent of users.


Additional key findings include:

  • Retail – The priority shared across the largest majority of retailers is Excessive Sharing, with 66 percent of organizations focusing on targeted security operations in this area. While this is the top shared priority within the retail industry, it is somewhat low compared with the cross-industries figure, which exceeds 70 percent. Additionally, 55 percent of retail companies are actively looking to detect instances of information governed by PCI-DSS compliance.
  • Manufacturing – Intellectual property (IP) is the lifeblood of manufacturing organizations, and their top priority is not just its existence, but its exposure, with 78 percent of organizations aiming to identify risk of excessively exposed IP.
  • Healthcare – Across all industries, healthcare had the fewest data exposures. The highest priority in this industry is identifying and protecting PII, with 38 percent of organizations naming this as a key focus area.
  • Financial Services – This industry has a surprisingly low number of users creating data in the cloud, at just 44 percent. The top cloud security priority in this area is the excessive sharing of information (77 percent), which can be attributed to individual organizations touch thousands or even millions of personal records.
  • K-12 Education – Only one percent of K-12 institutions had a targeted focus on password protection, with 74 percent of K-12 institutions look for bad language and signs of cyberbullying and 70 percent of institutions are actively monitoring for instances of PII data.
  • Higher Education – Only 12 percent are looking for objectionable content as a security priority.
  • Government – When adopting cloud-based technologies, government agencies are highly focused on compliance, with 59 percent concerned with PII, 52 percent on data that seems confidential, 50 percent focused on PI, 41 on PCI and only 2 percent on password information
  • Technology – While excessive sharing was deemed to be the top concern, only three percent are focused on password information.