UK businesses are failing to check the security controls surrounding their data in the cloud, a study has revealed.
Although 73% of UK organisations are using at least one cloud-based service, only 38% of large firms ensure that data held by external providers is encrypted.
This is one of the key preliminary findings of the 2012 Information Security Breaches Survey by PricewaterhouseCoopers (PwC) and Infosecurity Europe.
The survey also found that 56% of small businesses don’t check their external provider’s security, relying instead on contracts and contingency plans.
"Businesses are putting their faith in third parties to take care of their data but many are taking a laissez-faire attitude to the security element," said Chris Potter, PwC information security partner.
"Not only are they often completely leaving the security controls to third parties, they are not actually checking what controls those third parties have in place."
The problem is that small businesses may assume that because their data is being hosted by a large cloud provider that good security controls will be in place.
"But this isn’t necessarily the case. Companies should always check what security controls their providers are operating,” said Potter.
The survey found that around a quarter of large organisations and one-fifth of small ones have extremely confidential data hosted on the internet, with website, e-mail and payment service provision the most commonly used cloud services.
Half of organisations of national importance, such as financial services, telecommunications and utilities, use the cloud for business-critical data
According to Potter, many small businesses rely only on a contingency plan to move the outsourced service if there are issues. Yet a third of contingency plans to deal with systems failure and data corruption prove ineffective.
The survey shows a strong correlation between the effectiveness of contingency plans and the seriousness of breaches. When contingency plans work, less than half the incidents were serious; when the plans failed, four-fifths were serious.
The survey revealed the biggest blind spot in contingency planning is the infringement of laws and regulations, where only a fifth (18%) of affected organisations had a contingency plan.
Some 45% of large firms polled admitted breaching data protection laws in the past year and this happened at least once a day at one in 10 of them.
The survey found that after the most serious breaches, organisations improved their processes and technology and also trained their people.
This reinforces the evidence that the worst security breaches are due to multiple failures in a combination of people, process and technology, said Potter.
“Too many contingency plans are currently ineffective. Organisations should be frequently stress-testing their plans, especially because the survey shows a direct correlation between contingency planning and the severity of breaches," he said.
However, Potter believes that instead of relying on contingency plans, organisations would be in a much stronger position if they secured their data in the first place.
Full results of the survey will be presented by PwC on 24 April at Infosec Europe 2012 in London.