The survey, called "Information Governance in the Cloud: a Study of IT Practitioners" said that only 27% of responding organisations had procedures for approving cloud applications that use sensitive or confidential information. Lack of leadership, and limited resources for conducting evaluations factored into the low figure, according to the report.
One of the biggest problems for organizations is that the wrong people are evaluating cloud-based applications. End users and business managers were ultimately responsible for deciding which cloud applications to use in 68% of organizations, indicated the survey.
Only one in five organizations surveyed involve their information security teams in the decision making process, with one in four companies admitting that these teams never participated at all. However, almost 7 in every 10 organisations seemed unhappy with this situation, and wanted to see IT professionals more involved in deciding which cloud-based applications should be used.
Perhaps most worrying of all was the fact that only 30% of respondents evaluate cloud computing vendors at all, prior to deploying their products. 65% of companies used word-of-mouth to evaluate cloud-based services, with only 23% asking for proof of security compliance. Only 19% of the respondents indicated that their company provides general data security training that discusses cloud applications, the report added.
Symantec recommended that organizations create policies that directly address sensitive information stored in the cloud, outlining which information is appropriate for storage in this format. Companies should also create tools and procedures to classify this information, it advised.