Three office colleagues working on their laptops and smartphones.

Connecting Canadians

Why the cloud falls short on cybersecurity expectations: TELUS study

Aug 3, 2023

Cloud investments are a given these days, as businesses seek to reap benefits like agility, scalability and security. However, as organizations expand their cloud footprints, many find there’s a gap between their cybersecurity expectations and reality.

In the Canadian Cloud Security Study by TELUS Business, which surveyed more than 500 cybersecurity decision-makers in partnership with IDC Canada, 89 per cent of respondents indicate the cloud hasn’t met one or more of their expectations, with cloud security being the leading factor.

While over half of surveyed Canadian organizations’ data is now stored in the cloud, businesses nearly universally (98 per cent) agree that properly securing cloud environments is more challenging than securing on-premise IT infrastructure. In fact, 89 per cent of respondents say their organization has experienced a cloud security incident, with an average cost per year of $438,000 for organizations to address such incidents.

That may explain why 99 per cent of respondents admit if they could go back and adopt the cloud all over again, they’d spend more time on at least one aspect of security. The biggest areas they would have spent more time on are threat and risk assessments, monitoring and detection controls, and threat prevention controls.

While hindsight is 20/20, businesses can access all the advantages of the cloud and mitigate risks by having the right solutions and partners in place.

Carey Frey, chief security officer at TELUS, says enhancing cloud security starts with organizations understanding who is responsible for each aspect of security. “Businesses need to have a proper understanding of what their responsibilities are and what their cloud service providers’ responsibilities are,” he says.

For example, human error is the leading cause of cloud-security incidents, according to the study, and breaches often occur when someone in an organization has essentially “forgotten to lock the virtual door,” meaning they haven’t enabled the right security protocols to keep the information properly secured.

But whose responsibility is that? Is it the organization with the data and the employees logging in and out, or the cloud service provider? This can be especially difficult to navigate given that organizations have overwhelmingly adopted a multi-cloud strategy, leveraging more than eight different cloud service providers on average, according to the TELUS study.

“It’s easy to get cloud services from multiple companies where they set everything up and manage it as a service, but security is a shared set of responsibilities,” says Mr. Frey. “At the outset, I don’t think businesses focus enough on understanding what those responsibilities are and ensuring they are prepared to manage those obligations.”

Understanding what data is being secured and where it’s stored is critical in the event of a breach attempt – and that’s something that can be tracked by a trusted cloud-security partner.

“At TELUS, for example, we use processes like Security by Design and Privacy by Design to capture and log information about the data that is in our cloud environments,” explains Mr. Frey. “If there’s an incident, the first thing we’d do is determine the data set and security controls involved, so we can immediately see what kind of situation we’re in and then determine what course of action to take.”

Having an incident response plan enables quick action if a cloud breach occurs. “Businesses need a clearly defined document that lays out what the responsibility set is,” explains Mr. Frey. “That is a common methodology that can be employed by all.”

Organizations also must keep their technology up to date to ensure they’re protected by the best security. Mr. Frey says organizations may not be aware of updated security protocols that are available, or they expect their older technology to be protected by cloud technology. Both can lead to misunderstandings about today’s cloud systems. For example, security can be overlooked when businesses take old software and move it into a cloud environment – called a “lift and shift” – and expect it to be protected in the same way.

“With a lift and shift approach, you’re not taking advantage of all the ways cloud applications were designed,” Mr. Frey says. “Sometimes you need to add traditional network security controls, such as firewalls, because that can be the best way to secure that older technology.”

The good news is today there are more technology options available to help businesses achieve effective cloud security. These solutions provide greater visibility across cloud environments, detect misconfigurations, respond to threats and more. A great example of this would be a tool like Cloud Security Posture Management, which can detect and address security gaps before they become a problem.

“We are becoming increasingly aware that while new technologies can offer tremendous benefits, they are not without their challenges,” says Mr. Frey. “We have to be smart about how we secure our data and if we do that, we will reap the benefits these new technologies, like cloud, offer.”

While there is no one-size-fits-all approach, the Cloud Security Study offers guidance on effective cloud security strategies businesses can use to help create the communication, understanding and comfort organizations need to operate more securely in the cloud.

Download the 2023 TELUS Canadian Cloud Security Study

This article originally appeared on The Globe and Mail