Most Businesses Haven't Inspected Cloud Services For Malware

Ian Barker, reporting for BetaNews: Echoing the findings we reported earlier that companies leave cloud protection to third-parties, a new study from cloud security company Netskope reveals most companies don't scan their cloud services for malware either. The study conducted with the Ponemon Institute shows 48 percent of companies surveyed don't inspect the cloud for malware and 12 percent are unsure if they do or not. Of those that do inspect 57 percent of respondents say they found malware. It also shows that while 49 percent of business applications are now stored in the cloud, fewer than half of them (45 percent) are known, officially sanctioned or approved by IT.

This suprises me not at all

[Jawnn]

We're encumbered by industry and government regulations when it comes to security. Many (most, actually) of our similarly encumbered peers have no idea how the rules apply when it comes to cloud services. If the vendor says "Yeah, it's compliant", that's all they need to hear. So it is absolutely no surprise that most cloud customers do not vet the security of the things they're buying. What was it, barely a year ago? When it was discovered that "big data" vendors had exposed entire databases to the world with exactly zero security? That's not a little screw up. It's a fundamental fail. How did the customers not know this going in? Answer: They did not look.

Re:This suprises me not at all

[Attila+Dimedici]

In some ways it is worse than that. Many IT professionals are aware that they do not know exactly how to meet the government regulations (and criteria for certain quality certifications). In addition, they know that they can be held accountable for doing so (even though they are not even aware of all of the regulations they are accountable for). However, most of those regulations (and certification standards) offer them an out if they have purchased a service from someone else who promises to make them compliant. Theoretically, that someone else will be held accountable if they are discovered to not be compliant. In practice that does not happen. AND the IT professional who fobbed the responsibility off on them is no longer responsible (as long as they have done their due diligence by hiring a company that is big enough to not be held accountable).