A new era of cloud storage has spurred new security needs. Today’s businesses rely on the cloud for computing, storage, data analytics, business productivity and much more. But in a BYOD environment, an enterprise doesn’t have full control of all the devices employees use. It simply can’t.
Cloud-based apps, both personal and professional, have become the norm, which leads to information flowing in and out of the enterprise unchecked. It is estimated that 60 percent of all enterprise workloads are currently running in the cloud.
Controlling all the data on multiple devices is difficult since it originates outside the company network. To complicate matters, unstructured data is exploding as more devices become mainstream. Unstructured data – such as emails, Word documents, videos, photos, and presentations – are the largest and fastest growing type of data, yet the hardest to secure. With the immense flow of data, the security “perimeter” around an organization’s data is no more, and traditional methods of protecting data no longer suffice.
The scope of the problem is immense. According to Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the average total cost of a data breach is $3.62 million. With the odds of a company experiencing a data breach as high as one in four, it’s not a matter of if a breach will happen, but when.
Here are some cybersecurity challenges cloud-first enterprises are facing:
Collaboration Apps Create Vulnerabilities
In a tech-driven world, communication and collaboration are at our fingertips, thanks to easy-to-use collaboration apps like Slack and Trello. However, those types of apps create vulnerabilities because of lack of transparency on the backend processes. The challenge that these apps raise for organizations is: How can they enable the easy collaboration these apps provide, and at the same time, provide the security that is needed?
A key way to address this is to offer always-encrypted solutions that don’t disrupt user experience, but many of these collaboration apps don’t offer it. Instead, they only offer encryption when the data is at rest or when moving.
And, many of these apps decrypt the data to allow search, app integrations, third-party compliance or ads. This creates new risk. On top of that, guest access on collaboration apps can cause additional vulnerabilities. To maintain proper security, companies must monitor and terminate guest accounts when they are no longer needed.
Mobile Devices Deliver Convenience and Risk
There are approximately 4.57 billion mobile phone users worldwide, many of them within the enterprise, according to Statista. Mobile devices are a necessity in today’s business environment, but they bring security issues with them.
Mobile security issues include everything from computing anywhere using unsecured networks (aka that free Wi-Fi at your coffee shop) and downloading all types of apps. The sheer number of apps that exist present a conundrum for IT departments expected to vet them. It’s an impossible feat. For perspective, Google removed 700,000 potentially harmful or deceiving apps from the Google Play store in 2017 alone.
What’s more, applications that exist to help users clean out their apps have even been used to distribute malware. So, knowing which apps to trust – even those that are supposed to help you address the problem – can be tricky.
But if enterprises think mobile device management (MDM) is the end-all-and-be-all for mobile security, think again. While MDM monitors, manages and secures employees' mobile devices, it only works when all information is inside the corporate network. With so many apps available at our fingertips, that’s no longer realistic. Today, mobile devices can access apps like Dropbox and Google Drive directly without MDM, and just like that, the devices are no longer secure.
Even with a cloud access security broker (CASB) acting as a gatekeeper, once data is stored on the mobile device, it can leave and go to other locations. For example, let’s say Box.com is the official corporate cloud storage provider. A user can download a file from Box and later put the file on Dropbox. There’s no simple way to monitor or prevent this.
IoT Devices Open the Door to Hackers
Another consideration is IoT devices connected to the cloud. Unfortunately, these devices can be easily hacked and compromise the network. The simple truth is that most IoT devices have little to no security enabled. Therefore, placing IoT devices in an enterprise network inherently brings risk.
Internet routers, for both home and for business, are an example. They can be easily hacked and compromise the network. Certain malware can pass through home and office routers or even disable the devices completely, such as the Russian-linked VPNFilter malware the FBI recently warned about. Home security routers can allow hackers entry to the enterprise network.
Millions of insecure IoT devices present an enormous risk that’s only growing. IDC predicts that by 2025, there will be over 80 billion smart devices on the internet. Talk about a hacker’s gold mine.
Let’s explore some brief – but terrifying – examples from just the last few years, highlighted by IoT For All.
- Mirai Botnet malware brought down Twitter, The Guardian, Reddit, Netflix and CNN in 2016; insecure digital cameras and DVR players were used for the attack.
- In 2015, hackers hijacked a Jeep via the Sprint cellular network and learned they could control the car’s speed and direction.
- Then, of course, there’s the baby webcam scare of 2012, when it was discovered that faulty software let anyone who obtained a webcam’s IP address look and listens through it.
How to Manage Security in This New Wild West
We’ve learned from experience that end-users can’t be responsible for implementing security measures. If security requires users to take a cumbersome action, users will seek a workaround, putting the enterprise at risk. And with the rising rate of data, it’s too much for people to manage.
We’ve also learned that internal concerns are just as important as external. After all, 43 percent of security breaches happen internally, according to Intel. Some aren’t intentional, but some are. Senior executives have access to the most sensitive data that’s most at risk, and some have been known to cause data leaks or profit off them, such as in the case of Equifax.
On the other hand, unintentional internal breaches often stem from derivative works. For example, a common mistake is accidentally cutting and pasting secure information from one file or format into others, where it takes on a life of its own and is no longer secure.
Despite the many security challenges, enterprises are held to the fire as compliance requirements continue to heat up with HIPAA, PCI DSS, IFRS and others. Modern times call for modern security measures. We must think outside the box – or perimeter – and create a security approach based on the real world. How? We must encrypt everything at all times. We must take an opt-in approach. We must cover all data in all forms, including in derivative works.
It’s time we provide security that works the way employees do. We must make it transparent without changing the way they work or ask too much of them since any security measure that requires a user to change the way they work will likely fail.
A new, innovative approach is the only guarantee of true security. In today’s data-driven world, the stakes are too high for a data breach. And time is of the essence, as hackers are continually inventing new ways to steal data. We must take a strategic approach focused on the realities of cloud-first enterprises to stay ahead of threats.
About the author: Jeff Capone is the CEO and Co-Founder of SecureCIrcle, a leader in unstructured data security focused on data access governance and data loss prevention.