This feature is part of a series focused exclusively on cybersecurity. To view other posts in the series, check out the spotlight page.
CIOs and CISOs, maintaining a significant fiduciary responsibility to consumers, are often faced with the same concern — how can we protect our data in the cloud?
Enterprises that have already moved over a significant portion of their operations to cloud computing services may find it difficult to trust a third-party security system. Cybersecurity experts, however, say the architecture of the cloud is not usually the cause of cyber incidents and data breaches. Rather, it's the user.
In order to protect data from unwanted eyes, experts say the solution is fairly simple: education and proactivity.
What is the most common data security threat for an enterprise?
Benjamin Caudill, founder of Rhino Security Labs and a security expert, says that most common data breaches surround identity and authentication, session management, and other front door capabilities, instead of the ability of a hacker to compromise an entire data center or personal account.
"Ninety-nine percent of the time authentication, which is just a username and password, is very easy to break," said Caudill. "Whether I trick you, or install malware on your laptop, steal your password, guess it, or compromise it from another site, there are a lot of ways to get your username and password for a given account."
The security paradigm of the cloud is generally secure, but users and businesses don't necessarily invest enough time or work in monitoring data security, according to Caudill. For example, users are often susceptible to phishing emails that ask for their authentication details, because they don't understand how to differentiate a legitimate email from a fake one.
"Taking security seriously doesn't necessarily mean you have to spend a lot of money on it," Caudill said. "Typically the mentality and thought process when someone is attacking something, is to prioritize what is easily accessible over what is secure."
In fact, the Ponemon Institute surveyed almost 600 IT staff from small businesses with less than a thousand employees in its 2016 State of SMB Cybersecurity report and found that only 14% of the companies surveyed had rated their cyber defenses as highly effective. The principal reason was lack of personnel and insufficient IT security budgets.
Even more reflective of Caudill's sentiments, the report found that while 60% of respondents said they rely upon strong passwords and/or biometrics to prevent cybersecurity breaches, 56% said they either did not have or were unsure of a company policy on employees' use of these tools.
Another 59% of the respondents, who were primarily supervisory or management roles, said they lack visibility into their employees' password practices, such as how unique or strong the passwords are. Of those companies, 55% had suffered a cyberattack.
So, what can businesses do to avoid costly data breaches?
1. Understand the cloud in your business
Jim Reavis, CEO of the Cloud Security Alliance, says the first thing businesses can do to protect their data is to understand what it means to have data in the cloud and know what regulatory agency it is giving up to third party data security management services.
"The cloud changes the traditional paradigm of businesses owning and buying computers and using their own data center … now, there's less management overhead," said Reavis. "So, because that is very different, it creates new challenges. How can you develop trust and make sure that your information is protected, when it's not in a physical facility that you can lock up?"
Reavis says that business leaders can deal with the lack of data visibility in physical on-premise centers by actively trying to understand how cloud applications and services are being used within an organization. That includes understanding the high risk types, the highly sensitive information that is being handled and the strategies operated to protect it.
2. Encryption and two-factor authentication
Encryption is one of the easiest ways to proactively secure data and make it more difficult for hackers to access information, according to Reavis. "Doing encryption right makes it very difficult for hackers who can penetrate a lot of other things to actually get access to the information."
Two-factor authentication also makes it more difficult for cyber criminals to get past a simple username and password. This sort of mechanism, for instance, requires the user to more adequately verify whether he is actually legitimate; it can include extra security questions, for instance.
"The other big recommendation from a technical level is what's called strong authentication, such as two-factor authentication. If someone steals your password, it's not good enough," said Reavis. "Hackers can do nothing with those credentials if there are security questions they would have to answer as well, so that's a key recommendation."
3. Basic user training and identity management
Basic user training on the reality of threats like phishing emails and the importance of creating difficult passwords can go a long way in protecting an enterprise's data.
"People are always going to be your weakest link. Basic education goes a long way," said Caudill. "Phishing emails are something we leverage pretty frequently for a lot of our security features. We can spend weeks, months trying to hack a web app, but when we send a phishing email, we can often gain access to the internal network."
Though it may be difficult to do log analysis with services in the cloud, Caudill recommends IT security departments try to at least monitor users in the system.
"If you don't have cloud, or even if you do, log analysis and log education can be really helpful," said Caudill. "Managers need to be able to identify illegitimate activity from the legitimate."
4. Invest more in IT security
RSA's second annual Cybersecurity Poverty Index found 75% of the almost 900 respondents said they had a significant cybersecurity risk. But organizations that invested in detection and response technologies — rather than perimeter based solutions — fared better against cyberthreats.
Businesses can invest more money and resources into detection and response, rather than just prevention.
"If I'm running a department store, anything I invest in IT is money away from other stuff. Security is the deeper sinkhole of lost cash, and a lot of business owners think it's a poor place to invest money," Caudill said. "But, I think we need to put a majority of our resources into the identification and response piece and be more diligent."