Incidents in public cloud infrastructure are more likely to happen because of a customer’s employees rather than actions carried out by cloud providers.

According to a new Kaspersky report, Understanding security of the cloud: from adoption benefits to threats and concerns, ompanies expect cloud providers to be responsible for the safety of data stored on their cloud platforms.

However, around 90% (SMBs (88%) and enterprises (91%)) of corporate data breaches in the cloud happen due to social engineering techniques targeting customers’ employees, not because of problems caused by the cloud provider.

Cloud adoption allows organisations to benefit from more agile business processes, reduced capex and faster IT provision. However, they also worry about cloud infrastructure continuity and the security of their data. At least a third of both SMB and enterprise companies (35% SMB and 39% enterprise) are concerned about incidents affecting IT infrastructure hosted by a third party.

The consequences of an incident may make the benefits of cloud redundant and instead evoke painful commercial and reputational risks.

Even though organisations are primarily worried about the integrity of external cloud platforms, they are more likely to be affected by weaknesses far closer to home. A third of incidents (33%) in the cloud are caused by social engineering techniques affecting employee behaviour, while only 11% can be blamed on the actions of a cloud provider.

The survey shows there is still room for improvement to ensure adequate cybersecurity measures are in place when working with third parties.

Only 39% of SMBs and half (47%) of enterprises have implemented tailored protection for the cloud. This may be the result of businesses largely relying on a cloud infrastructure provider for cybersecurity. Alternatively, they could have false confidence that standard endpoint protection works smoothly within cloud environments without diminishing the benefits of cloud.

“The first step for any business when migrating to public cloud is to understand who is responsible for their business data and the workloads held in it. Cloud providers normally have dedicated cybersecurity measures in place to protect their platforms and customers, but when a threat is on the customer’s side, it is no longer the provider’s responsibility. Our research shows that companies should be more attentive to the cybersecurity hygiene of their employees and take measures that will protect their cloud environment from the inside,” comments Maxim Frolov, vice-president of global sales at Kaspersky.