Cloud Security Remains Elusive in Public Sector

Despite the move to the cloud, many government entities grapple with long-standing, cloud-related cybersecurity challenges.

Consider a recent survey from data security provider Netwrix, based on responses from 937 IT professionals. This survey showed that, while security challenges persist, many cybersecurity woes in the federal government are self-inflicted. This survey found most respondents admitted that their cloud security efforts are hindered by a lack of IT/security staff (65%), employee negligence (59%) and a lack of budget (53%).

The survey respondents also indicated that their security budgets didn’t reach the levels their organizations had planned to spend before the novel coronavirus pandemic. While 45% of public organizations expected an increase in their cybersecurity budget from their 2019 spending, only 24% actually saw that increase. According to the Netwrix survey, 14% of funding earmarked for IT is spent on cloud security, revealing that public sector organizations allocate the lowest percentage of all industry sectors to cloud security.

Those findings echo the results of a previous survey conducted by the research firm IDC on behalf of cloud security provider Thales. That survey found that most government organizations fail to understand the “shared responsibility model,” and therefore fail to secure their data adequately.

“Agency beliefs are incongruent with the reality painted by survey results. Of U.S. federal government respondents in the study, 71% believe they are very secure. Still, agencies are not sufficiently implementing the processes and investing in the technologies required to protect their data appropriately. More than half have been breached or experienced failed security audits. And when it comes to securing data in the cloud, most government organizations incorrectly look to their cloud providers to implement data security measures for the portion of the shared responsibility model that the government organizations themselves own,” reads the federal edition of the 2020 Thales Data Threat Report.

Some government agencies are paying the price for their cloud security confusion. According to the Netwrix report, cloud breaches resulted in unplanned security expenses in 28% of organizations, customer churn and potentially a loss of credibility in 13%, and a change in senior leadership at 11% of organizations.

The Netwrix study also found the most common data security-related incidents in the public sector were phishing attacks (experienced by 39% of organizations), unintentional data leaks (24%) as well as targeted digital attacks on the infrastructure (22%).

Of course, the pandemic exacerbated cybersecurity challenges, with 47% of respondents adjusting their 2020 priorities due to the virus. At the same time, the leading priorities among government agencies surveyed include auditing of user activity (65%), data classification (56%) and privilege attestation (53%).

Despite the cloud security challenges public organizations face, another recent survey of technology leaders within U.S. public agencies showed that about half (45% of federal agencies and 52% of state agencies) store mission-critical data in cloud systems.

This survey found that most survey respondents admitted their cloud security efforts are hindered by a lack of IT/security staff (65%), employee negligence (59%) and a lack of budget (53%). The good news is most of the challenges the public sector faces with regard to security are fixable: lack of security staff can be remedied by hiring more, while training and awareness can mitigate employee negligence and budgets can be increased, if the will to do so is there.