Comfort with cloud-services adoption is growing steadily but Australian companies are lagging the world in backing their cloud enthusiasm with real action to meet compliance and privacy obligations, according to new figures that reinforce recent concerns about the openness of cloud-based data.
IT and IT-security practitioners in Germany, France, Indonesia, Brazil, and the UK were all notably more proactive in managing regulatory compliance around their cloud applications than counterparts in the US, Japan, and Australia, according to the Ponemon Institute-Gemalto 2018 Global Cloud Data Security Study of 244 Australian and 3285 IT practitioners worldwide.
Just 35 percent of Australian companies said their organisation was proactive in managing data and privacy regulatory compliance – around half of the 69 percent of German companies that said the same.
Australian companies were also far less likely to agree that it is challenging to manage privacy and data protections in the cloud, with just 67 percent agreeing with that statement – compared with 83 percent of Indian companies, 87 percent of US companies and 97 percent of French companies.
This correlated with a relatively high degree of confidence in the organisation’s ability to monitor and manage cloud applications: 61 percent of Australian companies said they could do this, the most out of the eight countries and well ahead of laggards Germany and Japan (27 percent each) and France, where just 1 in 4 respondents said they could track cloud applications.
Such high levels of confidence must be tempered with caution about the fast-growing pace of cloud application adoption, Gemalto regional director ANZ Graeme Pyper told CSO Australia. Even as cloud platforms help companies embrace new applications with greater speed and effectiveness, he said, “there is a need to have more due diligence on those.”
“They are the applications we need to be understanding a little bit more from a security perspective, to be able to say hand on heart that they tick the boxes for the business and for security as well.”
Failure to take such precautions – which seems to be more common than it should be, given Australia’s laggard position around proactively managing compliance – posed a real threat to companies that will face a far stricter regulatory regime with next month’s introduction of the Notifiable Data Breaches (NDB) scheme and the implementation of the European Union (EU) general data protection regulation (GDPR) in May.
“This concerns me because whilst we have these two new regulations coming into place, the perception is that Australian companies don’t manage security and privacy very well,” Pyper said. “We all know there will be a public disclosure [of a major breach] this year, and from that I think it will be evident that more people will make compliance and data privacy more prominent within their organisations.”
Companies are taking a whole range of approaches to ensuring NDB and GDPR compliance, ranging from technological measures for locking down data, to educational campaigns and even threats of penalties for employees that fail to follow compliance best-practice.
Yet many companies have already expressed their doubt that they will be compliant by the deadlines, and the latest Gemalto figures do little to improve this outlook.
To their credit, Australian companies rated higher in metrics such as taking care about sharing confidential or sensitive information with third parties: fully 46 percent of Australian respondents said they do this, well behind Germany (61 percent) but leading the US (43 percent), UK (35 percent), and Japan (31 percent).
They were also the most likely to support the need for strong authentication to manage access to cloud applications and data, with 91 percent of Australian respondents agreeing with this compared to just 74 percent of UK companies. Australian companies were also less likely to complain that managing identities in the cloud is more difficult in the cloud than in on-premises environments.
However, Australian companies came off as less procedurally mature and were, for example, less likely to evaluate the security capabilities of cloud providers, with just 54 percent of respondents saying they did this – compared with 73 percent of Germany companies, 69 percent of UK companies and 63 percent of organisations in the US and France.
Given that public cloud services are already perceived to have a high level of risk – the recent ISACA 2017 Digital Transformation Barometer found 69 percent of financial services respondents, and 60 percent of government and military respondents, named public cloud to be a “high risk” technology – Australian companies’ complacency is “a concern”, Pyper said.
“It comes back to the controls and the level of risk that organisations are willing to accept,” he said. “People are starting to put things in place to protect information and to encrypt information where possible.”
“But it’s still early days to actually say we are moving in the right direction. Now that we’ve got the NDB coming into place and the fines that are potentially going to be levied, that risk will probably weigh a little heavier on the minds of the executives.”