This year alone, we have seen a hacker take control of a hotel’s key card system, locking guests in their room until a ransom was paid[1]; 2.5 million PlayStation and Xbox user credentials exposed[2] and Aberdeen city council’s website overrun with hackers — and those are just the ones who have admitted to it. It’s no wonder the occurrence of data breaches has hit a record high, with a recorded 40 percent increase in the past year[3]. This begs the questions: Is data protection and cybersecurity is really being prioritised? And, how do we put a stop to this madness?
So much of society depends on connected devices – our money, our cars, our homes, even medical devices – leaving us all vulnerable to hackers with malicious intent. Which only serves to emphasise the importance of implementing thorough data protection practices throughout every level of society and in the workplace. So, how can we even begin to go about preventing such occurrences? Below are some areas organisations must prioritise to combat poor data protection practices.
Cloud security
With growing volumes of mobile devices comes the increasing demand for cloud applications and storage, with no signs of abating. The amount of cloud data each person uses is expected to triple by 2020[4], along with the rapidly rising occurrence of attacks on the cloud.
The very nature of the cloud is that individuals, whether it’s for work or personal purposes, can easily access files, no matter where they are. The same goes for hackers. The reality is roughly half of such attacks are committed by cyber-criminals, as opposed to hacktivists, nation states, terrorists, or competitors[5], so we are talking about committed professional hackers with malicious intent who are accessing sensitive corporate data stored in the cloud.
Whilst many may panic and decide to withdraw their data from the cloud or refrain from embracing it, there is no need to do so. Data in the cloud is as secure as data on-premise if the correct security standards are applied. There are a few ingredients imperative to securing data within the cloud: secure infrastructure, stronger passwords, and complementing passwords with multi-factor authentication.
Cross-pollinating personal and corporate data
Mobile devices are now the chosen tool for work; no matter the age, vocation or location. Gone are the days of a personal desk or office. Desk-less and remote workers are quickly becoming the new norm, with many choosing to access corporate applications from personal mobile devices, causing employees’ personal data to become cross-pollinated with sensitive corporate data.
One of the many dangers of cross-pollinating corporate data on employees’ personal devices is that once an employee leaves a company, they do so with sensitive company data. If company data leaks into the wild, hackers can use it for targeted attacks, including phishing attacks on company employees. Given the typical employee stays with a company for four years[6], the annual average employee turnover is 25 percent. In a mid-sized company of 1000 people, that’s 250 departures and a lot of potential leaks!
To mitigate this risk, employees should be encouraged to have two accounts on a single laptop; one for company data and apps, and another for personal use. This way companies can remain in control of the corporate account and revoke access once a user has left the company.
Multi-factor authentication
We, as human beings, have adopted bad habits. We often rehash and reuse the same passwords over and over again, maybe adding the additional number to the end of our favourite password if we are feeling conscious. By combining strong multi-factor authentication with, sufficiently complex, hard-to-guess passwords that are regularly rotated, companies are adding an additional layer of protection.
While multifactor authentication and methodically complex passwords may not be the silver bullet to stop all cybercriminals in their tracks, it certainly makes it difficult for malicious hackers to use personal and corporate information as cannon fodder on the dark web.
For organisations, an additional layer of protection through Cloud Access Security Brokers, or CASBs, is suggested to detect suspicious user behaviour. For example, if one user is accessing an application from two geographically remote locations (say, the UK and US), an Identity Cloud will be signalled to revoke access, as it’s likely their account has been compromised.
Employee education
However, while companies can have the best-laid plans in place to prevent the next hacker or insider threat running into the night with valuable corporate data, employee education is vital. All it takes is for an employee to download a file from the secure cloud service to a personal device or click on a malicious phishing email, without end-point management and security controls, and the preventable becomes inevitable.
Educating employees on phishing scams they encounter on a daily basis, in addition to strengthening corporate phishing defences, must be a priority. To monitor employee awareness of phishing threats, companies should conduct regular phishing assessments by sending a false-phishing email and tracking how many fall for the scam. Ideally, such assessments should be done on a monthly basis, with failure rates published and learning sessions conducted with employees.
If an organisation addresses cloud security, the cross-pollination of data, the use of multi-factor authentication to secure corporate applications, and employee education around phishing, then it is well on its way to adopting healthy and secure data protection practices.
By Al Sargent, Sr. Director of Product Design at OneLogin
[1] http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms
[2] https://www.theinquirer.net/inquirer/news/3003724/playstation-and-xbox-forum-hack-exposes-credentials-of-25-million-gamers
[3] https://www.helpnetsecurity.com/2017/01/20/data-breaches-increase/
[4] https://www.cisco.com/c/dam/en/us/solutions/collateral/service-provider/global-cloud-index-gci/white-paper-c11-738085.pdf
[5] https://www.thalesgroup.com/sites/default/files/asset/document/2017_thales_data_threat_report.pdf
[6] https://www.bls.gov/news.release/tenure.nr0.htm