Most public sector organizations aren’t ready to either embrace a cloud-first strategy or move their entire infrastructures to the cloud due to budget and security concerns.

That’s according to the 2019 Netwrix Cloud Data Security Report. Despite federal government initiatives to encourage cloud adoption, the number of public sector organizations willing to implement a cloud-first strategy or become 100% cloud has dropped by 20% since 2018.

Netwrix’s Ken Tripp

Ken Tripp, Netwrix‘s director of channel accounts, tells us his company was surprised to find out that government organizations are skeptical about adopting a cloud-first approach. It seems that public sector organizations still feel cautious about using the cloud, apparently due to lack of budget and management support for cloud security initiatives, he said.

“MSSPs and other cybersecurity providers need to adapt their offerings to the needs of government organizations, and offer flexible pricing plans to help them resolve their paint points without budget overrun,” he said. “They also need to offer plans that are tailored to the needs of various types of government organizations — for example, local, state and federal governments.”

Some 92% of IT teams didn’t receive a budget increase for cloud security in 2019, and one-half of them said they have no financial support when it comes to dealing with cloud security issues, according to the report.

The majority of government organizations store personally identifiable information (PII) of employees and citizens in the cloud (69% and 62%, respectively). Their chief reasons for moving sensitive data to the cloud are cost efficiency (31%), availability for remote workers (28%) and security concerns (21%).

“Unfortunately, 28% of organizations that moved sensitive data (including citizens’ PII) into the cloud had security incidents in 2018,” Tripp said. “Moreover, all of these organizations never classified all data they store in the cloud, which means that they lacked valuable insight into their data and failed to prioritize their security efforts to secure the most critical information.”

Another issue Netwrix identified is lack of visibility into cloud environments that prevents organizations from investigating security incidents. Overall, 59% of organizations couldn’t determine whether the incidents they suffered were caused by external threat actors or insiders, which means they didn’t have a chance to ensure that these incidents won’t happen again.

“These poor security practices make organizations vulnerable to security threats like data breaches, and often lead to negative consequences like fines from regulatory bodies, and lawsuits from citizens and employees,” Tripp said.

The majority of organizations plan to strengthen data security in the cloud by encrypting data (61%) and improving data access management (55%); however, not all IT teams receive sufficient budget to support these initiatives. A lucky few reported quite a substantial budget increase, which averaged 80%.

One-quarter of organizations that store all their sensitive data in the cloud would consider moving some or all back on premises. The key reasons to “uncloud” include high costs (43%), inability to ensure security (29%) and lack of control (14%). They would start by migrating the data of citizens (29%), payment data (29%) and health care data (29%).

“I am 100% sure that unclouding is not a solution when it comes to any cloud issues,” Tripp said. “Government organizations have already invested a lot in the cloud, and moving data back on premises will also be costly, time-consuming and yet won’t guarantee that the data will be secure.”

To ensure optimum security, organizations need to plan their migration ahead and consider which data they are going to move, which data is better to leave on premises and the security measures they plan to roll out, he said. Also, the IT teams responsible for cloud migration need to involve management in the decision-making process to make migration comfortable for everyone, and teach them best security practices in the cloud to mitigate the risk of security issues caused by accidental user mistakes.

“Public sector organizations need to understand what data they have in the cloud and ensure they can classify it according to its level of sensitivity,” said Steve Dickson, Netwrix’s CEO. “This approach will enable them to prioritize their cybersecurity efforts and choose appropriate controls within their budgets to keep critical data safe.”