As you'll know if you've been following our National Cyber Security Awareness Month blog series, we're focusing on user awareness. We belief that these days every user in your environment represents a point on your perimeter; any may be targeted by attackers and any could create a security issue in a variety of ways, from losing their phone to clicking on a malicious link.
Each week through October we've provided a simple email primer on a topic affecting users' security. We hope these emails can be easily copied and pasted to send around your organization to help educate users on the risk. We've already covered some of the big obvious topics – phishing, passwords and mobile risks. That brings us to cloud applications.
According to the Ponemon Institute, 35% of security leaders say SaaS applications are not evaluated for security prior to deployment. And those are the security leaders that know it's happening – chances are there are more that don't.
A few years ago, Rapid7 ran its own internal audit to see where we stood with cloud applications; we found more deployed than expected by a factor of about 10x. It's easy for individual departments to sign up for an app and start using it without needing IT support, and that's exactly what had been happening, potentially exposing us to unknown and unmanaged risk. We now have policies to ensure the security team is included in any vendor selection, and that all vendors meet our security requirements. If you don't have policies in place, we strongly recommend you do your own internal audit and determine how you will manage the risk.
In the meantime, here's the email for your users…
What is the Cloud?
“Cloud” basically means a technological solution you're subscribing to online. That covers an incredibly diverse range of things. For example: online data storage like Dropbox, marketing automation and tracking like Marketo, and customer relationship management like Salesforce.com. Cloud applications are designed to be very quick to deploy and easy to manage, and as a result, the chances are that your department is already using some kind of cloud service.
The challenge here is that you don't know how good the security of the solution you're buying may be. That can be a big problem if any corporate information is being handled by the service. For example, if you use an online data storage service like Dropbox, SugarSynch or GoogleDrive, and that service gets compromised by an attacker, that attacker could get access to any information you stored on the site. Likewise, if you use an online human resources tool such as TribeHR, BambooHR or iEmployee, and it gets compromised, your employees' personally identifiable information (PII) could be at risk,
Not only is this a problem for those directly affected, but the company as a whole is impacted. It is a legal requirement that PII for both employees and customers be protected, so any incident exposing it could result in fines or other penalties. And there are also reputational implications and the loss of trust. Other types of corporate data, such as any intellectual property, are also valuable and need to be protected to defend the way we do business.
How can you protect yourself?
No one expects you to be an expert on security, but we do request that you be vigilant, familiarize yourself with company policies, and if in doubt, reach out to the IT or security team. In the case of cloud applications, bear in mind that although they may seem very polished and professional, you have no way of knowing what level of risk they are actually exposing you and our company to. Here are some basic ways of minimizing that risk:
- Work with IT/Security
When you start to think about using a new service, bring the IT and security team into the process. We can work with you to identify potential options based on your needs and budget, and then we can vet the candidates for you. We know the questions to ask and what to look for to ensure you get all the benefits without a lot of extra risk.
- Don't store information online without permission
When you use a cloud solution you may find that you start putting data in there as a matter of course. This is how you get value out of the solution, but have you considered what kind of data you're storing there? Or how the vendor is storing and protecting that data? We have a responsibility to keep that data safe, but a 3rd party vendor may not feel they share that responsibility. Check with IT and we will tell you whether it's safe to store information online.
- Don't use personal cloud storage for work
It's very tempting; you use an online storage service for your media and documents at home. You already have an account set up, and you need to be able to access company information so you can work wherever you are. Using your personal account seems like an obvious solution, but it isn't. Ask IT for a solution and we will suggest some company-approved approaches and get you up and running.
- Don't share permissions for company files
It's a standard practice to restrict who can access certain types of information in the company based on role. This helps keep the information safe. In the same way, you should check with a manager or IT before sharing access to files that are stored in the cloud.
- Don't share passwords and other access credentials
It's very common for teams to share credentials for cloud services. This is an inherently insecure behavior and can encourage other equally insecure behavior such as emailing credentials, writing them down, or using very weak, easy to guess passwords. All of these activities increase the risk associated with using cloud services and should be avoided. Please familiarize yourself with our email on basic password hygiene if you have not already done so.
If you are considering a cloud purchase, or are already using some cloud services we may not know about, please do contact the IT team. And stay vigilant team!