Half of US CISOs Have Suffered 10+ Cloud Breaches

Almost 80% of US companies have suffered at least one cloud security breach over the past 18 months, with misconfiguration the number one concern among CISOs, according to Ermetic.

The cloud security vendor commissioned IDC to interview 300 US cybersecurity leaders in organizations ranging in size from 1500 to more than 20,000 employees. The aim was to better understand the level of risk their organizations are facing and where their biggest challenges are.

Over two-fifths (43%) reported 10 or more breaches over the past year-and-a-half, while 79% said they’d suffered at least one incident.

The top three threats were listed as security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%).

Configuration errors are a common occurrence in the cloud space, thanks to the growing complexity of deployments, limited in-house expertise and growing interest from researchers and cyber-criminals.

The findings align somewhat with Verizon’s most recent Data Breach Investigations Report (DBIR), which revealed that 22% of breaches last year were down to human error, with misconfiguration featuring strongly. In fact, the report claimed that breaches featuring configuration mistakes had jumped nearly 5% from the previous year.

Ermetic also argued that users and applications often accrue excessive access permissions in public cloud deployments. These are often granted by default or go unnoticed, but can be hijacked by attackers to steal data, deliver malware or disrupt business processes,

Perhaps unsurprisingly given their challenges, the CISOs IDC spoke to claimed their top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%) and security configuration management (73%).

“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic. “In fact, two-thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”

What’s Hot on Infosecurity Magazine?