Cloud misconfigurations are considered a data security risk by 95% of IT decision makers in the UK, according to a new study from Trend Micro. The findings highlight how human error is a major cause of organizations’ compliance problems and is obstructing their digital transformation.
Of those who regard cloud misconfiguration as a risk, 41% said it is a “great risk.” For those working in B2C, this rose to 57%, and in administrative or technical roles, 52%.
Nearly two-thirds (62%) of IT decision makers said they are extremely or very concerned about the legal and regulatory compliance implications of cloud threats like misconfiguration, and 27% stated they had experienced such an incident over the past year.
The most common forms of misconfiguration errors include leaving an unencrypted data store exposed to the public internet without any form of authentication required to access it, exposing data to all global users of the same cloud platform and leaving encryption keys and passwords in open repositories.
This provides cyber-criminals with opportunities to undertake nefarious activities such as stealing and ransoming data and installing malicious digital skimming code onto websites.
“From Capital One to the US government, the list of serious data leaks and breaches via misconfigured cloud systems is growing by the second. Trend Micro’s Cloud One – Conformity offering detects 230 million of these errors every single day,” commented Bharat Mistry, principal security strategist at Trend Micro.
“This tells us something important: organizations are struggling to find the in-house skills needed to keep pace with their complex hybrid and multi-cloud deployments. With just a few clicks of a mouse potentially exposing highly sensitive and regulated data, CISOs need to consider investments such as cloud security posture management to tackle escalating risk.”
There have been numerous instances of data being exposed due to cloud misconfiguration errors over recent years as more organizations store data in the cloud. Last month, thousands of domestic violence victims have had their emergency distress messages exposed after a developer misconfigured a back-end AWS bucket.