Most Businesses Haven't Inspected Cloud Services For Malware

Ian Barker, reporting for BetaNews: Echoing the findings we reported earlier that companies leave cloud protection to third-parties, a new study from cloud security company Netskope reveals most companies don't scan their cloud services for malware either. The study conducted with the Ponemon Institute shows 48 percent of companies surveyed don't inspect the cloud for malware and 12 percent are unsure if they do or not. Of those that do inspect 57 percent of respondents say they found malware. It also shows that while 49 percent of business applications are now stored in the cloud, fewer than half of them (45 percent) are known, officially sanctioned or approved by IT.

News flash: they don't care.

[LTIfox]

True story: A guy I know was developing cloud based real estate management suite. Lots of sensitive information in there as you can imagine.
So I was, like, "Are you nervous about hackers and stuff because it is hosted God knows where by God knows whom?"
And they guy's reply was: "Nope. I have this here certificate"
I was like: "But that certificate will not protect you from hackers!"
He replied: "It would".
Me: "What?! Are you nuts?!"
He looks at me as I'm a kind of an idiot and patiently explains that he does not care if users data will get stolen or not. If something bad happens - his ass is protected by this here certificate. I.e. he did his due diligence and whatever happened is not his fault.
Me: "..."

Re:How?

Best not to ask these kinds of questions. In God and Cloud we trust.

Cloud is a cute word for "outsourcing your shit to someone else's data center" (disaster recovery an optional add on, which no one buys)

This is how we get there... CIO read something in a magazine while sitting on a Delta Airlines flight in first class, and said: Dude... we gotta have this cloud shit. Look at the size of this fucking Amazon AWS advertisement. It's a whole page. IN COLOR. That's probably pretty expensive. These guys clearly know what they are talking about. My IT guys can't even make a Powerpoint slide that looks half this good.

This suprises me not at all

[Jawnn]

We're encumbered by industry and government regulations when it comes to security. Many (most, actually) of our similarly encumbered peers have no idea how the rules apply when it comes to cloud services. If the vendor says "Yeah, it's compliant", that's all they need to hear. So it is absolutely no surprise that most cloud customers do not vet the security of the things they're buying. What was it, barely a year ago? When it was discovered that "big data" vendors had exposed entire databases to the world with exactly zero security? That's not a little screw up. It's a fundamental fail. How did the customers not know this going in? Answer: They did not look.

Re:This suprises me not at all

[Attila+Dimedici]

In some ways it is worse than that. Many IT professionals are aware that they do not know exactly how to meet the government regulations (and criteria for certain quality certifications). In addition, they know that they can be held accountable for doing so (even though they are not even aware of all of the regulations they are accountable for). However, most of those regulations (and certification standards) offer them an out if they have purchased a service from someone else who promises to make them compliant. Theoretically, that someone else will be held accountable if they are discovered to not be compliant. In practice that does not happen. AND the IT professional who fobbed the responsibility off on them is no longer responsible (as long as they have done their due diligence by hiring a company that is big enough to not be held accountable).