How vulnerable supply chains threaten cloud security

Organizations are struggling to sufficiently secure new cloud environments implemented during the pandemic, while maintaining legacy equipment and trying to adapt their overall security strategy to the evolving landscape, according to a Proofpoint study released in collaboration with The Cloud Security Alliance (CSA) reveals.

“In the wake of COVID-19, organizations substantially accelerated their digital transformation initiatives to accommodate a remote workforce.” said Hillary Baron, lead author and research analyst at CSA, the world’s leading organization in defining standards, certifications, and best practices to help ensure a secure cloud computing environment.

“While these initiatives strive toward improving worker productivity, product quality, or other business objectives, there are unintended consequences and challenges because of the large-scale structural changes required. One of those challenges is developing a cohesive approach to cloud and web threats while managing legacy and on-premise security infrastructure.”

Risks surrounding suppliers and partners greatly affecting cloud environments

As organizations continue to migrate to the cloud, reliance on third parties and partners increases, which in turn exacerbates the risk of threats through the supply chain.

The study shows that 81% of responding organizations are moderately to highly concerned about risks surrounding suppliers and partners, with 48% specifically concerned about potential data loss as a result of such risks. This high level of concern is entirely warranted as 58% of organizations indicated that third parties and suppliers were the target of a cloud-based breach in 2021.

The study reveals that defending data is rightfully a top concern for businesses, with 47% listing sensitive data loss as their most concerning outcome of cloud and web attacks. The specific types of data organizations are most concerned with are customer data, credentials, and intellectual property. 43% of organizations listed protecting customer data as their primary cloud and web security objective for 2022. Despite this, only 36% of the organizations surveyed have a dedicated data loss prevention (DLP) solution in place.

“As organizations adopt cloud infrastructures to support their remote and hybrid work environments, they must not forget that people are the new perimeter. It is an organization’s responsibility to properly train and educate employees and stakeholders on how to identify, resist and report attacks before damage is done.” said Mayank Choudhary, EVP and GM of Information Protection, Cloud Security & Compliance for Proofpoint.

“Cultivating a culture of security within and around your organization coupled with the use of multiple streamlined solutions is critical to effectively protect people against cloud and web threats and defend organizational data.”

Key findings

• 47% of those surveyed listed sensitive data loss as their most concerning outcome of cloud and web attacks, while paying ransom was of least concern to respondents (10%).
• 58% had a third party, contractor, and/or partner targeted in a cloud breach.
• Organizations are concerned that targeted cloud applications either contain or provide access to data such as email (36%), authentication (37%), storage/file sharing (35%), customer relationship management (33%), and enterprise business intelligence (30%).
• 47% of those surveyed blame dealing with legacy systems as key concern with their cloud security posture, while 37% feel they need to coach toward more secure employee behavior.
• 36% of organizations surveyed have a dedicated data loss prevention (DLP) solution in place. Other solutions implemented include endpoint security (47%), identity management solutions (43%) and privileged access management (38%).