10 lessons learned from 2016’s biggest data breaches
Moving data to the cloud requires extra effort to prevent cyber attacks.
Lessons from the biggest data breaches of 2016
Organizations are taking more of their data and applications to the cloud, increasing the risk of a cybersecurity incident. Here are 10 lessons IT can learn from 2016’s biggest data breaches.
2016 was a record year for data breaches
“Between the DNC hack, the Panama Papers and Dropbox password leaks, 2016 saw its fair share of data breaches, bringing a harsh reality to light for IT: everybody is a target,” notes Krishna Narayanaswamy, chief scientist and cofounder of Netskope. “While cyber security is increasingly top of mind for IT professionals, the C-suite still has much to learn when it comes to keeping pace with the constantly evolving threat landscape.”
The move to the cloud puts organizations at greater risk
“Enterprises now use an average of 1,031 cloud apps, a figure that IT often underestimates by 10 times, and which represents just one of many avenues that hackers could breach in order to obtain sensitive data,” Narayanaswamy explains. “According to an IBM study of nearly 150 CISOs, nearly half of those polled expect a major cloud service provider to experience a security breach within the next year. As cyber criminals continue to develop more complex methods to infiltrate organizations, corporate leaders must have a clear understanding of how to adapt and adopt more proactive deterrence strategies.”
First and foremost, create a formal policy around insider threats
“With the increase in cloud and mobile usage comes the added issue of insider threats,” Narayanaswamy says. “It’s clear that most organizations have work to do—according to a recent survey, only 37 percent have formal policies in place. The challenge most organizations face is finding the balance between empowering employees to access and use cloud apps and protecting against the risk of data loss. At the end of the day, organizations must have a formal policy to address this issue, including the fact that many cloud app-based insider threats are mostly unintentional, meaning sensitive business data has the potential for accidental exposure via unsanctioned cloud apps.”
Organizations must actually enforce insider threat policies
“While having an insider threat policy is an important first step in enhancing security, IT leaders must actually enforce the policy,” Narayanaswamy stresses. “This also includes regularly assessing risks to update and making changes to the policy as the IT landscape changes. For example, if all employees start using new sync-and-share programs to exchange sensitive information, there may be a heightened risk for an insider threat (both unintentional and malicious). An up-to-date policy that controls who can access what from managed and unmanaged devices, and when, will address issues such as this one.”
Encrypt everything
“IT leaders have caught onto the fact that, like it or not, employees are going to sync, share, save and upload sensitive data to the cloud,” Narayanaswamy says. “Encryption is the single most important step to ensure this data remains secure. It’s not a failsafe, but it can make a big difference in a third party’s ability to access data or not.”
Regardless of industry, implement a data loss prevention strategy
“Consider how easy it is for an ‘insider,’ such as someone in Investor Relations, to upload non-public financials to Dropbox, or a bio-pharma researcher to upload clinical trial data to a cloud big data tool, or someone in HR to sync employee data in Box,” Narayanaswamy says. “Organizations need a data loss prevention strategy in place that will detect, classify and protect against the loss of sensitive data while in transit to or from the cloud, and while at rest in the cloud.”
Have a remediation plan in place
“Having a ‘when, not if’ mentality will ensure that IT is prepared with a definitive process should a breach or hack occur,” Narayanaswamy stresses. “This includes developing a proper remediation plan to have in place for when something does go wrong. The plan should address risk, security and compliance questions specific to the organization—both the current and future state. Some sample questions to ask include, ‘Does any confidential content reside in our sanctioned cloud storage and, if so, who has access to it? Do we have any payment card information residing in our cloud Customer Relationship Management apps? Do I have backup in case my data is rendered useless?’”
Conduct regular audits for vulnerabilities
“To establish credibility and gain buy-in for the security plan, IT leaders must provide corporate leadership an accurate assessment of the current state of affairs, including cloud usage trends and potential vulnerabilities,” Narayanaswamy advises. “For CIOs who haven’t performed an assessment of cloud usage in their environment, there’s no scarier question than ‘How are we using the cloud today?’ Address this by understanding how many and what types of cloud services are in use in the organization, what potential vulnerabilities and risks are associated with each, if there are any specific security patches or updates that need to take place in order to enhance security and what that means in terms of cyber risk.”
Change passwords often
“A recent survey from Ping Identity revealed that while enterprise employees claim to prioritize online security and understand risky versus safe behavior, they fail to follow best practices consistently,” Narayanaswamy explains. “In fact, half of respondents admitted that they are likely to reuse passwords for work-related accounts. Account for this in the formal IT policy by ensuring that employees change their passwords regularly and often.”
Employ two-factor authentication
“Safely enabling cloud means IT must find, understand and secure the cloud services that are in use or under consideration,” Narayanaswamy says. “This goes beyond knowing the number of services their associated risks, but also understanding risky usage of and/or sensitive data in the cloud apps in the environment, both sanctioned or unsanctioned, and applying two-factor authentication as appropriate to ensure further security measures are in place.”
Maintain an open dialogue with the C-suite to discuss current policy and protocols
“In general, there’s still a disconnect between C-level executives and IT when it comes to deciphering and understanding standard cyber security practices,” according to Narayanaswamy. “Many executives don’t feel responsible for the repercussions of hacking, creating a culture of blame that doesn’t help to make enterprises any less vulnerable. It’s important that IT departments plan to work closely with the C-suite to act as transparent administrators and guardians of a company’s security policies.”
Educate your employees on why this all matters
“Human error accounts for 52 percent of the root cause of security breaches,” Narayanaswamy stresses. “Most of the time, employees aren’t acting maliciously but the fallout can be immense in either case, and cloud app security strategies must protect against both risks. Regardless of who might be to blame in the event of a breach, get ahead of this issue with regular employee training on the importance of following the organization’s security policies.”