Enterprises may be embracing the cloud, but they’re not being very careful about doing so, according to a new survey. While cloud usage is on the rise, so are anxieties about the security of public cloud services. The cloud is also becoming a petri dish for malware.

The survey of 643 business professionals in the U.S. and Canada by the Ponemon Institute and commissioned by cloud security provider Netskope Inc. found that although more than half of respondents said their use of cloud services is increasing, they fear that using public cloud significantly increases the likelihood of a data breach. Nearly one-quarter said can’t tell if they’ve been breached, and nearly one-third said they wouldn’t be able to tell what data was lost, even if they were aware of a problem.

The research indicates that public cloud providers still face an uphill battle in addressing perceptions that applications and services that live outside users’ own data centers are inherently less secure. The research is somewhat contradictory, however. In a survey released by Bitglass Inc. last summer, 52 percent of respondents said the cloud is at least as secure as their on-premise systems, up from 40 percent the previous year.

More than half (54 percent) of respondents to the Ponemon/Netskope survey said their organization’s use of cloud services increases the likelihood of a data breach and nearly 2/3 said it makes it harder to protect sensitive information.

Nearly 40 percent of respondents said a cloud service was used to infect their users with malware. Despite this vulnerability, only 40 percent of organizations inspect cloud services for malware. The growing incidence of malware infection from trusted cloud services indicates that IT organizations are too quick to assume that everything emanating from those services is OK.

Shared folders, in particular, are becoming a prime malware attack vector because they can potentially reach so many victims, said Gautam Kanaparthi, a Netskope senior product manager. “If I put malware in a cloud-based folder, then everyone who shares that folder if vulnerable. That is a huge risk,” he said. Netskope estimates that 56 percent of malware is now spread through shared files.

This risk apparently hasn’t hit home with many IT organizations, 60 percent of whom don’t screen public cloud services for malware, according to the Ponemon research. “People think their existing infrastructure will cover them, but people access the cloud from home, mobile devices and public computers, all of which is outside your security stack,” Kanaparthi said. “The activity is malicious but the IT security people say they know the service so they trust it.”

$19.3 million cost per breach

The cost of breaches continues to climb. Ponemon asked survey respondents to estimate the total cost of an exposure involving 100,000 or more customer records and encompassing costs of remediation, lost productivity, reputation damage and other collateral exposure. The average estimate was $19.3 million, with 40 percent of that attributed to reputation and brand damage.

Among other findings of the study were:

• Thirty-one percent said their organization has experienced a breach of a public cloud service and 19 percent said they have no way of knowing if they’ve been breached. Nearly half of the people whose companies had been breached faulted a user for exposing data, either intentionally or accidentally.
• Respondents estimated that 33 percent of business data in the cloud and 26 percent of sensitive or confidential data isn’t visible to IT. IT organizations can’t be expected to protect data they don’t know exists.
• Nearly half said they worry about losing control or being unable to influence end-user actions in the cloud. That was followed closely by fears of intellectual property theft.
• Organizations appear to be falling behind in their quest to track and use of cloud services. The percentage of companies that feel they have a good handle on what cloud services employees are using fell from 50 percent in the same survey in 2014 to 45 percent this year.
• An average of 30,716 computing devices –  including desktops, laptops, tablets and smartphones – are connected to the average organization’s networks, an increase of more than 20 percent from 2014.