Hybrid cloud security survey shows that most organizations are implementing hybrid clouds far faster than their security teams can manage them.

For many organizations, particularly those in highly regulated industries such as healthcare, hybrid cloud environments offer the best of both worlds. Companies get to enjoy the easy scalability and other benefits of AWS, Microsoft Azure, or Google Cloud while isolating their critical workloads and sensitive data in a private cloud that they have complete control over.

At least, that’s the theory. As it turns out, not all clouds have a silver lining. Firemon’s State of Hybrid Cloud Security Survey, which polled over 400 security practitioners, revealed a severe disconnect between hybrid cloud adoption and hybrid cloud security. Among the findings:

• Most organizations are running multiple disparate cloud systems, which greatly increases complexity. Half of organizations deploy at least two different cloud environments (multicloud), and 40% have hybrid cloud deployments. Further, 39% use Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) models concurrently.
• Despite this complexity, many organizations expect non-security personnel to handle public and hybrid cloud security. 56% of respondents reported that cloud security was handled by network security, security operations, or security compliance teams. The rest of the time, the responsibility is placed on IT/cloud teams, application owners, or other teams outside the security organization.
• Security personnel lack the resources to keep up. 60% of respondents indicated that their organizations’ cloud initiatives were outpacing their ability to secure them. This isn’t surprising, given that 57.5% indicated that less than 1/4 of their security budget was dedicated to cloud security, and 52% reported that their security teams consisted of 10 or fewer members. Only 28% have network security tools that work across multiple environments to secure their hybrid clouds.
• In many cases, DevOps and security teams are siloed, further impeding cloud security.7% of respondents reported being part of their organizations’ DevOps team as part of the DevSecOps trend, but 30% indicated their relationship with DevOps was either complicated, contentious, not worth mentioning, or non-existent.

Hybrid cloud security issues are challenging, but not insurmountable

Like public clouds, hybrid cloud environments are not inherently less secure than on-prem infrastructures, but hybrid clouds are complex, requiring expertise with APIs and network configurations that many traditional system administrators are unfamiliar with. While the technical specifics of securing a hybrid cloud environment will vary, certain best practices apply in all environments.

Eliminate organizational silos and give security a seat at the table. Cyber security should be the primary concern when deploying a hybrid cloud environment, not an afterthought. Security teams must be involved every step of the way.

Don’t forget compliance concerns. Compliance is tricky in a hybrid cloud environment. You must understand the differences in compliance responsibility in each environment; be able to demonstrate that both your private cloud and your public cloud meet applicable compliance mandates; ensure that any data moving between the two clouds is protected in transit; and establish safeguards that prevent sensitive data from being moved from compliant storage on a private cloud into non-compliant storage on a public cloud. Most AWS breaches are due to sensitive data being uploaded onto improperly configured AWS buckets.

Establish consistent risk management processes throughout the hybrid cloud environment. While some processes will have to be different, keep things as consistent as possible to reduce complexity. For example, the principle of least privilege applies in both environments; ensure that your employees do not have more privileges in one environment than they do in the other.

Seek help from cyber security professionals with expertise in hybrid cloud security. Both the cloud computing and cyber security domains are suffering from a significant skills shortage that is projected to persist into the foreseeable future. Pawning off the responsibility to staffers who lack security expertise only sets your company up for a cyberattack. Organizations that do not have sufficient staff in-house to ensure hybrid cloud security need to seek outside help.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Think your company “can’t afford” cyber security? How much will a cyber attack cost?

Cost is arguably the biggest impediment to robust, proactive cyber security at small and medium sized businesses (SMBs). SMBs are aware of the need to secure their systems and data, but when presented with a solution, the costs may give them pause. Some of them think that hackers are interested in attacking large firms, and their companies are too small to warrant the investment.

The reality is that hackers find SMBs to be very attractive targets because they know these small firms may not have comprehensive cyber security defenses. Additionally, many SMBs sell services to large companies, and hackers frequently use these third-party vendors as backdoors into their primary targets. Verizon estimates that 58% of SMBs have fallen victim to a cyber attack, and stratospheric cyber attack remediation costs mean that these companies have a lot more to lose than multinational corporations.

Small businesses face big cyber attack costs

While cyber attack costs take a large bite out of multinationals, they can swallow SMBs whole. According to Ponemon Institute, cyber attacks cost SMBs an average of over $2.2 million. Cleanup costs are responsible for about half, with the other half being due to business disruption. It’s important to understand that $2.2 million is an average figure. Your company’s remediation costs could be higher, particularly if you do business in a highly regulated industry, such as healthcare or finance. The healthcare industry faces the highest per-record data breach cost, at $408 per compromised record, nearly three times the average of $148.

In addition to direct remediation costs, such as repairs to systems and hardware, businesses may also face a litany of indirect remediation costs, including:

• Regulatory or industry fines for compliance violations.
• Civil lawsuits from customers, business partners, or both.
• Higher cyber insurance premiums.
• Higher fees from payment processors, if the cyber attack causes your customers to file a significant number of credit card chargebacks.
• Customer refunds and incentives, such as credit monitoring.
• Lost sales and business opportunities.

These cyber attack costs are magnified if your company must temporarily suspend operations after a cyber incident. In addition to footing the direct and indirect costs of cyber attack remediation, your business must still pay everyday operational costs, such as rent, utilities, insurance, and payroll – and all of this while no money is coming in. If that sounds like a perfect (cyber) storm, that’s because it is; the U.S. National Cyber Security Alliance estimates that 60% of small businesses go under within six months of suffering a cyber attack.

Proactive cyber security doesn’t have to cost a fortune

Solid integrated risk management (IRM) and governance, risk, and compliance reduce the risk of cyber attacks, and automating IRM and GRC processes allows companies to save money and time without sacrificing efficacy. Continuum GRC’s proprietary IT Audit Machine (ITAM) is a cloud-based, self-service IRM and GRC solution that will help you document and analyze cyber risks, develop mitigation plans, define controls, and manage ongoing risk assessments, with clear visibility into key risk indicators, assessment results, and compliance initiatives.

The risks are dire. It’s not cyber security that SMBs cannot afford; it’s cyber attack remediation costs.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.