But, he points out, a lot of responsibility still falls on these organisations to do things to ensure that they have the right setup, to ensure that they have the cloud configured correctly and that they don't have data "hanging around" that's not appropriately protected.
"Organisations do not completely understand the cloud environment and a lack of expertise and skill set makes it difficult for businesses to identify and implement the right set of security controls to protect their cloud operations," says Prakash Venkata, principal within PwC's cybersecurity, risk and regulatory practice.
"Companies that seem to be ignoring cloud security altogether may be doing so due to a lack of understanding, a lack of skills and expertise, limited time due to competing corporate initiatives, or limited budget to invest in leading tools," he adds.
But cloud security isn't something that can just be ignored – if your organisation is using cloud applications or servers, securing it is a must, particularly as cyber criminals and other malicious hackers are on the lookout for insecure services they can exploit to gain access to networks with relatively low effort.
For example, there's been a big rise in enterprises and employees using cloud application suites for emails, managing documents and other daily tasks. It's beneficial for employees, but if those accounts aren't secured properly, they can provide an easy backdoor for attackers.
If your organisation isn't on top of its cloud security strategy, it could be easy for the information security team to miss early signs of suspicious activity, only to finally notice when it's too late, once information has been stolen or ransomware has encrypted the network.
There are also additional steps that information security teams can take to bolster cybersecurity defences of cloud services, such as rolling out multi-factor authentication to all users. This provides an opportunity to stop and detect malicious intrusions before they happen, because even if the attacker has the correct password, the user has to confirm that it's a legitimate login attempt.
"Identity access management, the ability to ensure that networks' data system services can only be accessed by by authorized parties, that's really the essential bit," says Nurse.
And just because software is cloud-based, that doesn't mean it doesn't require security patches and updates. If there's a security update available for cloud software, it's best to apply it as soon as possible, particularly as cyber criminals also know about the vulnerabilities and will do their best to exploit them. For this, it's important to select the right cloud vendor.
A good cloud service provider that becomes aware of security vulnerabilities in their products will roll out those patches to customers as soon as possible, providing the customer with the greatest opportunity to stay protected from attacks, using the exploit – as long as they apply the update on time.
However, your choice of cloud service provider could make a significant difference to your overall cloud security strategy. Many vendors will be responsive, quickly supplying updates and fixes for cloud software issues – but some aren't, and it's important to learn which these are before signing a contract.
"There's no point choosing a cloud provider that has really cheap services, but then that cloud provider doesn't patch regularly or doesn't monitor its own attack surface, because at the end of the day, it's still the organisation's data that could be breached," says Nurse.
Even when you have a cybersecurity strategy around cloud in place, that's not the end of the journey – and much like when you first start using cloud services, you can't just ignore it and hope for the best. Cybersecurity is always evolving, new threats emerge, and new strategies need to be applied to help keep networks and users as safe and secure as possible.