cyber crime, Data, News & Analysis

One in four cloud service clients willing to be held to ransom – study

mobile tablet securityOne in four companies would be willing to pay a ransom to criminals who stole their information, with 14% of them willing to pay over a million dollars, says a study. Companies with cyber insurance are most likely to hand over cash.

This revelation comes from a survey of cross industry sample of 200 IT and security professionals by the Cloud Security Alliance. The study’s objective was to examine how industries around the world are managing cloud adoption.

Exposure is increasing, according to the survey, which indicated that IT professionals are struggling to cater for the demand for new cloud services, receiving on average 10.6 requests each month for new cloud services. Only 71.2% of companies now have a formal process for users to request new cloud services and of these 65.5% admitted that they ‘only partially’ follow it. Due diligence is impossible under the circumstances because it takes an IT security team 17.7 days on average to evaluate the security of a cloud provider, the study says.

The most common reason for rejecting a cloud service is not related to security or compliance but the fact that a comparable cloud solution is already in place. Small companies are most likely to judge a cloud service by the cost, with the lack of budget, in 28.4% of cases, being the most popular criteria for rejection.

The lack of security could cause problems in future because many companies are now putting sensitive customer information in the cloud. The most commonly purchased cloud system is customer relationship management (CRM), which was identified as a purchase by 36.3% of the survey sample. The figures may reflect a degree of complacency as ‘just 35.0% of IT and security professionals believe that cloud-based systems of record are less secure than their on-premises counterparts’, says the report.

Despite the perceived improvement in security from cloud services, 60.8% of companies have taken the precaution of appointing a chief information security officer. However, these relatively new roles are ill-defined and responsibilities, such as ransom negotiation, vary across companies.

“It’s shocking that so many companies are willing to pay even a penny’s ransom,” said Skyhigh Networks spokesman Nigel Hawthorn, “The idea that some would pay more than $1m is downright staggering. Hackers are increasingly confident they can hold businesses over a barrel.”