#Privacy: Organisations are failing to adequately protect sensitive data in the cloud

Research has revealed an increasing difference between the rapid growth of data stored in the cloud and an organisations approach to cloud security. 

A study from Thales, featuring research from the Ponemon Institute, surveyed over 3,000 It and IT security practitioners in Australia, Brazil, France, Germany, India, Japan, the UK and the US. 

The research found that businesses and organisations are becoming increasingly dependent on cloud providers – with 48% of organisations having a multi-cloud strategy. 

On average, organisations use three different cloud service providers, with Amazon Web Services (AWS), Microsoft Azure and IBM being the top three. Over a quarter of organisations (28%) use four or more. 

Although sensitive data is being stored in the cloud, under half of the respondents (46%) stated that storing consumer data in the cloud makes them more of a security risk, with 56% citing that it also posed as a compliance risk (56%). 

In regards to who bears the most responsibility for sensitive data in the cloud, 35% stated cloud service providers, 33% cited that it should be shared responsibility, and 31% said themselves. Despite businesses pushing the responsibility to cloud providers, just 23% say security is a factor in selecting them. 

“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute. 

“Not knowing this information makes it essentially impossible to protect the most sensitive data — ultimately leaving these organisations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”

In regards to encryption, 51% of businesses and other organisations still do not use encryption or tokenisation to protect sensitive data in the cloud. It was noted that German organisations are the most advanced in their use of encryption.

The research discovered that organisations are giving their keys to their encrypted data to cloud providers, with 44% of cloud companies providing the encryption keys when data is encrypted in cloud, followed by in-house teams (36%) and third parties (19%). 

Despite 78% of respondents citing that it’s important their organisations retains control of the keys, 53% are controlling these encryption keys themselves. 

“This study shows  that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security,” said Tina Stewart, vice president of market strategy for cloud protection and licensing activity at Thales.

“Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process. It doesn’t matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organisation’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/