In recent years, data on the cloud has become the main target of cyberattacks. This phenomenon has pushed spending on protecting this data to the top of all other cybersecurity spending items. This is the finding of Thales’s annual Cloud Data Security Report, released today. The Thales Cloud Security Study, based on data collected from nearly 3,000 information technology professionals from public and private organizations operating in 37 industries in 18 countries, including Italy, provides a detailed overview of current threats and defence strategies employed. The report particularly highlights the growing importance of data security on the cloud and the need to implement more effective measures to protect it. As threats continue to evolve, organizations must be prepared to adapt and constantly improve their defences to safeguard sensitive data and maintain the trust of their users and customers.

Most common attacks

Most attacks (31 per cent) target popular applications such as SaaS (Software as a Service), which allow people to connect to cloud-based apps via the Internet, such as e-mail or calendars. Other frequent targets include cloud storage (30 per cent), the cloud’s data storage service, and management infrastructure (26 per cent), i.e., the hardware and software components that enable services to be delivered in the computing cloud.

Among the companies surveyed, 44% have experienced data breaches on the cloud in the past year, and 14% say they have been victims of an incident. The main causes of these breaches are human error and misconfiguration (31%), exploitation of vulnerabilities (28%), and failure to use multi-factor authentication (17%). Sixty-six per cent of companies use more than 25 SaaS applications, and nearly half (47 per cent) of enterprise data stored in the cloud is sensitive. Despite increased risks, data encryption rates remain low: less than 10% of companies encrypt 80% or more of their sensitive data in the cloud.

According to Sebastien Cano, senior vice president for cloud protection at Thales, as the cloud attack surface expands, organizations must gain a solid understanding of the data stored in the cloud, the keys they use to encrypt it, and the ability to have complete visibility into who is accessing the data and how it is being used. “It is critical to solve these challenges now, especially as data sovereignty and privacy emerged as major concerns in this year’s research.” With experience, many companies are organizing to address new security challenges.

Among the strategies adopted is the reorganization of applications to separate, protect, store and logically process data on the cloud. “Companies with a good handle on their compliance processes and passed all their audits were less likely to suffer from a breach. We’ll start to see more compliance and security functions coming together. This would be a huge positive step to strengthen cyber defences and build protection around the data itself,” he said.

It is worth remembering that EU Nis 2 will arrive by this October. The new continental directive aims to achieve a high cybersecurity standard across the European Union. On October 17, 2024, member states must incorporate it into their national laws. The goal is to improve cybersecurity risk management and resilience across various sectors and replace the original Nis Directive (Directive 2016/1148/EC) with stricter regulations.