Research dampens claims cloud providers are GDPR-ready

Keumars Afifi-Sabet

16 Apr, 2018

Only half of organisations say all their cloud providers have a plan for GDPR compliance ahead of the 25 May deadline to comply with the new data protection legislation, a report has found.

Surveying 1,400 CISOs and IT managers around the world, McAfee’s The State of Cloud Security report also found a direct link between an organisation’s confidence in their provider’s state of GDPR readiness and the level of investment they are willing to commit to cloud services.

Despite over 80% of organisations in a previous survey indicating they expected help from their service providers to achieve regulatory compliance, McAfee’s latest findings showed only half of respondents said that all their cloud suppliers had a plan in place ahead of the deadline to comply with GDPR, which sets out tougher penalties for organisations that misuse EU residents’ data, and hands more control to people over how their information is used.

Organisations more confident in their cloud providers’ GDPR readiness were more likely to spend more on cloud services in the coming year, with those lacking confidence more likely to keep investment at the same level.

Not all cloud solutions support the same level of security, so what should you look for before committing to a cloud service? Learn more in ‘Demystifying Cloud Security’.

Download now

Just under half of respondents anticipated increased investment in light of GDPR, while 44% of organisations said they expected spending to remain flat. Less than 10% of organisations anticipated decreasing their investment in their cloud services, again contrasting with the findings of McAfee’s Beyond the General Data Protection Regulation (GDPR) which found organisations were projected to reduce investment by $85,000 on average as a result.

“The implementation of the incoming GDPR, due to come into force in just over a month’s time, will affect cloud users around the world,” said Nigel Hawthorn, data privacy expert in McAfee’s cloud security business unit.

“Becoming GDPR compliant requires a combination of knowledge, processes, policies, technology and training, as well as detailed understanding of data flows to and from third parties and cloud services. With this in mind, it is concerning that only half of the respondents stated that all of their cloud providers have a plan in place for GDPR compliance.”

Cloud Pro has previously warned against relying on third-parties to ensure compliance with GDPR.

Skills shortages underline wider issues

The latest edition of McAfee’s annual report on the current state and future plans for cloud adoption and security also shed light on cloud adoption progress, as well as the main concerns proving obstacles for some organisations.

A quarter of respondents highlighted a lack of staff with skills to manage security for cloud applications, and only 24% of organisations reported that they suffered no skills shortage, while the research found 40% of IT leaders reported they were slowing their organisation’s cloud adoption.

Data theft, however, was ranked as the greatest concern, with 56% of professionals saying they had tracked a malware infection back to a cloud application, up from 52% the previous year.

Lack of visibility, meanwhile, was cited as one of the most commonly experienced issues – spanning users creating cloud workloads outside of an organisation’s IT department (shadow IT), a lack of transparency around what data is stored in the cloud, and an inability to monitor cloud workloads.

UK organisations slowest to adopt, and most cautious

Organisations in the UK were the slowest to adopt cloud services of those surveyed, while they were also found to be the most cautious over storing sensitive data.

When asked how many months organisations would take for their IT infrastructure to be 80% cloud-based, respondents in the UK answered 19 months, versus an average of 14 months.

Moreover, organisations in the UK were also found to be the least likely to store all of their sensitive data in the public cloud – only 10% versus an average of 25% – while a quarter of UK organisations said they stored no sensitive data in the cloud, the joint-highest with Germany.

Personal customer information comprised the majority of sensitive data, with 61% of organisations keeping such data in the public cloud, followed by payment card information, internal documents, and employee information.

What should you look for in a cloud solution to ensure that your corporate data can be kept safe? Learn more in this whitepaper on cloud security.

Download now

Visibility underpins secure cloud adoption

The report pinpointed a lack of visibility as the key factor hindering organisations from securing their cloud services, concluding visibility-driven organisations, regardless of whether they have adopted a cloud-first strategy or not, have a better awareness of shadow IT and take direct responsibility for the security of their cloud data.

“Poor visibility has a bigger impact on navigation than any single control or capability. After all, you cannot steer around what you cannot see,” the report concluded.

“The leading adopters of cloud services understand this axiom and are integrating cloud visibility into their IT operations to accelerate business. Better cloud visibility enables an organisation to adopt transformative cloud applications sooner, respond more quickly to security threats, and reap the cost savings that virtualisation provides.”