7 in 10 APAC large firms wrongly trust that default cloud security is enough

Seventy percent of security decision-makers in large enterprises believe that security provided by cloud providers is sufficient to protect them from cloud-based threats, a report from Palo Alto Networks and conducted Ovum Research shows.

The report suggests that there are many cases among large organizations — with more than 200 employees — where perception doesn’t match the reality of professionals who know best.

“Organisations need to recognise that cloud security is a shared responsibility,” said Elaine Liew, regional VP for cloud security in Asia-Pacific at Palo Alto Networks. “While cloud providers are responsible for the security of their infrastructure, the onus is on companies themselves to secure their data and applications stored in that infrastructure.”

Among the companies surveyed, three out of five (59%) operate with more than 10 security tools within their infrastructure to secure their cloud.

However, having numerous security tools creates a fragmented security posture, adding further complexity to managing security in the cloud, especially if the companies are operating in a multi-cloud environment.

The multi-cloud approach creates a dangerous lack of visibility that is prevalent in 64% of large organisations surveyed, according to Andrew Milroy, head of advisory services in Asia-Pacific at Ovum.

“The ubiquity of multi-cloud deployments in large organisations calls for a unified view of all cloud-native services. It is ideal for organisations to have a central console that uses technologies such as artificial intelligence to help prevent known and unknown malware threats, and quickly remediate accidental data exposure when it arises,” said Milroy.

The need for automation is further underscored by the study, which revealed that large enterprises do not have enough time and resources to dedicate to cloud security audits and training.

Among large firms in the region, 76% have either never conducted a security audit or do not do it on a yearly basis. Furthermore, a quarter of audits do not even include cloud assets and 65% of organisations conduct internal audits only.

Besides audits, there is also inadequate cloud security training for both IT and non-IT staff. About 57% of organisations do not provide cybersecurity training to IT security employees on a yearly basis.