Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cloud Security

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

Policy problems with cloud Storage revealed by survey

UK companies are placing themselves at risk of cyberattacks and data breaches as a result of rampant use of cloud storage services and unclear or non-existent corporate policies according to research released today by WinMagic Inc. The survey, conducted by CensusWide, of 1,000 office workers in organisations of 50 or more employees revealed widespread, and often unilateral employee use of cloud storage services could be leaving businesses with poor visibility of where their data is stored, placing potentially confidential data at risk.

Key Findings

  • 65% of employees don’t have or don’t know the company policy on cloud storage
  • 1 in 10 employees who use cloud storage services at least once a week have no confidence in the security of their data saved and accessed from the cloud
  • Cloud storage use varies widely – 41% use cloud services at least once a week, whilst 42% never use these services at all
  • 1 in 20 employees who use cloud services at least once a week, do so despite these services being restricted by their company
  • 35% of employees used a company sanctioned service
  • 43% were unaware of their employer’s policy on the use of these services. In addition, of those that use cloud storage at least once a week
  • 50% of respondents use personal equipment to access work information and services at least one a week
  • 47% of employees use company-issued equipment at home at least once a week

Darin Welfare, EMEA VP at WinMagic, said: “This survey highlights the challenge businesses face when managing data security in the cloud. IT teams have had to cede a level of control as employees have greater access to services outside corporate control and this research indicates that IT must take additional steps to protect and control company data in this new technology landscape. The wide range of employee adoption of these services also means an additional layer of complexity when devising corporate policies and education programmes for the use of cloud storage services.”

Employees are increasingly accessing work documents and services outside the office, particularly among regular users of cloud storage. The survey revealed 70% of employees who use cloud storage at least once a week will also use work equipment at home at least once a week, significantly higher than the UK average of 47%.

The WinMagic survey highlights a clear disparity between employee use of cloud services and company IT policy, which suggests that businesses must increase focus on devising clearer security policies and better staff training programmes in order to minimise the risk for the business.

Darin Welfare added: “One of the key steps that any organisation can take to mitigate the risk from the widespread use of unsanctioned cloud services is to ensure that all company data is encrypted before employees have the opportunity to upload to the cloud. In the eventuality that the cloud vendor does not adequately put in place control mechanisms and procedures to ensure security across their infrastructure, sensitive and valuable corporate data is still encrypted and cannot be accessed and understood beyond those who have the right to. This approach provides the company with the assurance that the IT team is in control of the key and management of all company data before any employees turn to cloud storage services.”

“This survey should serve as a wake-up call for IT teams to focus resources on crafting the stringent security policies, and employee education programmes that will help the business stay secure. It also indicates that this is not something that is only down to employee behaviour. Businesses need better training for all staff on the potential dangers of cloud services. Businesses must catch up with the employee cloud revolution or risk potentially catastrophic data loss.”

The full press release can be found here.

In cloud environments, 75% of the security risk can be attributed to just 1% of users

Cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user. Consequently, developing a comprehensive understanding of user behavior and the implications thereof becomes paramount to corporate security strategy.

In analysing user behavior across 10 million users, 1 billion files, and over 91,000 cloud applications, CloudLock surfaced surprising trends.

In this report, Cloudlock examine cloud cybersecurity trends across three primary dimensions: users, collaboration, and applications. The Pareto Principle, the “80/20” rule, holds true across all three dimensions, revealing a truth with surprising implications for security professionals.

Key Findings

Users: 1% of users create 75% of cloud cybersecurity risk, signalling abnormal user behavior whether unintentional or malicious.

  • Collaboration: While organizations on average collaborate with 865 external parties, just 25 of these account for 75% of cloud-based sharing per organization. Unexpectedly, 70% of sharing occurs with non-corporate email addresses security teams have little control over.
  • Apps: 1% of users represent 62% of all app installs in the cloud – a high concentration. Without security awareness, this small user base introduces a high volume of risk. Additionally, 52,000 installs of applications are conducted by highly privileged users – a number that should be zero given privileged accounts are highly coveted by malicious cybercriminals.

4 Actionable Takeaways for a more secure cloud environment

The findings of this report show disproportionate cloud cybersecurity risk across users, collaboration, and applications. Consider the four following risk remediation strategies.

1. Focus on the User Behavior

Focusing on the riskiest subset of users, security professionals can efficiently and dramatically reduce risk. Any abnormal behavior by data-dense and risky users should be prioritized providing the security team with valuable direction on what truly requires attention and resolution immediately.

2. Focus Security on Organizations You Collaborate With Most

Given that, on average, 75% of inter-organizational sharing is with 25 external organizations, focus on the frequent collaborative organizations to eliminate the bulk of risk, then address the long tail of remaining organizations.

3. Take Application Security beyond Discovery

Discovering third-party applications that reside on the network is only the tip of the iceberg. Elevate your security game beyond app discovery through enforcement capabilities, policy-driven app control, and end-user education. If users are blocked, they will find a way around.

4. Correlate Insights Across Cloud Environments

With multi-cloud intelligence, security teams can correlate security events across platforms, preventing cybercriminal exploits from slipping through the cracks. Consider an individual logging into Salesforce in San Francisco and ServiceNow in Kuala Lumpur using the same credentials simultaneously, indicating account compromise. Avoid point security solutions in favor of platforms offering multi-cloud insights across not only SaaS applications, but also laaS, PaaS, and IDaaS environments.

Reaching the Cloud Era in the European Union

The ‘EU28 Cloud Security Conference: “Reaching the Cloud Era in the European Union” brought to the foreground the current cloud landscape. The aim of the conference was to bring together practitioners, academics and policy makers to discuss the level of cloud computing security in the context of current and future policy activities. The conference included presentations and panel debates on legal and compliance issues, technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification.

During the conference the important role of cloud computing was acknowledged for the development of the digital economy in Europe. Cloud computing is becoming essential for users, including individual consumers, businesses and public sector organisations. However, recent figures indicate that users’ concerns on cloud security are still the main barrier to the adoption of cloud services in Europe.

Key conclusions highlight that:

  • There is a need to raise awareness and educate users and SMEs on cloud security, to encourage safe and responsible use of cloud services. “Informed customers” should be able to ask the right questions to providers and understand where their responsibilities lay, and SMEs understand that they are co-responsible for the security of the cloud services provided. A risk assessment culture should be nourished applicable to all. Transparency of cloud services must be improved by the implementation of continuous monitoring mechanisms, increasing accountability through evidence-based assurance solutions, and certification, keeping in mind that one size does not fit all. Rapid, context-based information sharing of incidents within the industry sectors, will also enable collaborative information security able to respond quickly to the changing cybersecurity landscape.
  • There is a need for flexible policy approaches towards cloud security to allow further technological advancements. Within this framework co-regulatory and self-regulatory initiatives should be supported, and create technology-neutral legal guidelines and obligations based on principles, to allow for flexible solutions. Europe-wide solutions should be encouraged.
  • Data protection is an important element to be considered. Implementation of existing rules and techniques should be encouraged and this information should be shared.
  • Governmental clouds bring benefits to cloud security. There is space to strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector. Furthermore, customised solutions based on the needs of each country and sharing of best practices can be encouraged.
  • Cloud benefits from an open market. Meanwhile discussions are required on security in relation to data location requirements, foreign jurisdiction and access to European data.
  • As cloud usage for critical sectors is increasing there is a need for elaborated security measures and specific risk assessment techniques addressing each critical sector’s needs.

Furthermore, cloud security was discussed in relation to the recent regulatory and policy initiatives, such as the ongoing data protection reform, the proposal for a Network and Information Security directive, cloud computing communication and the Digital Single Market strategy. There was consensus that further policy actions on cloud security could support trust and confidence in cloud services by addressing the key findings and issues deriving from the conference.

Shadow Cloud Services 20 Times More Prevalent than Sanctioned Cloud

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:-
1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
5. SAP ERP
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:-
1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

Enterprises have more than 2,000 unsafe mobile apps installed on employee devices

Veracode has released analytics from its cloud-based platform showing that, based on the mobile applications it assessed, the average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment.

Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments across various industries including financial services, media, manufacturing and telecommunications Veracode found 14,000 unsafe applications of which:

  • 85% expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
  • 37% perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
  • 35% retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.

According to Gartner,

Through 2015, more than 75% of mobile applications will fail basic security tests.”  At the same time, cybercriminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.

This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices.  Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.

Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem.  As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.

Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO. “Veracode’s automated cloud-based reputation service and MDM/EMM integrations were purpose-built to address the speed and scale required to effectively secure employee devices in global enterprise environments

Cloud usage is extending the perimeter of most organisations

CloudLock have produced an interesting report on how the use of the cloud and apps has extending the perimeter of most organisations.

CloudLock Executive Summary

The adoption of public cloud applications continues to accelerate for both organizations and individuals at an exponential rate, evidenced across the massive growth in the volume of accounts, files, collaboration, and connected third-party cloud applications.

The rapid surge of accounts, files, and applications presents increased risk in the form of an extended data perimeter. The adoption of cloud applications has significantly increased the threat surface for cyber attacks. Faced with this massive growth and the elevated risk, security professionals are looking to enable their organizations to embrace and leverage the benefits of cloud technologies while remaining secure and compliant.

Sensitive data is moving to the cloud, beyond the protection of your perimeter controls. As this occurs ,the amount of data, and, most importantly, the amount of sensitive or ‘toxic’ data the enterprise stores in these Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (laaS) platforms is increasing by the day – and regardless of its locations, S&R pros still need to protect it effectively.” Forrester Research (2015, March) Market Overview: Cloud Data Protection Solutions

Cloudlock key findingsOther findings

  • 100,000 files per organization that represent risk. Number of files per organization stored in public cloud applications that violate corporate data security policy, amplifying the danger of exposing sensitive information.
  • 4,000 files per organization contain passwords. Number of files per organization stored in public cloud applications containing credentials to corporate systems, inviting cybercriminals to hijack corporate SaaS environments.
  • 1 in 4 employees violating security policies. Number of employees that violate corporate data security policy in public cloud applications, opening organizations to risk of data breach and compliance concerns.
  • 45,000 third-party apps installs conducted by privileged users. Third-party cloud applications with access to privileged users accounts significantly elevates organizational risk.
  • 12% of an organizations files are sensitive/Violate a policy
  • 65% of Security Teams Care about what type of sensitive data is exposes
  • 35% care about how/where it is exposed
  • 70% of corporate cloud based external collaboration occurs with non-corporate entities
  • 77,000 Third Party cloud Apps that touch corporate systems
  • 4x increase in the number of third-party applications enabled per organization, from 130 to 475. The total number of unique third-party cloud apps ballooned to 77,000, amounting to 2.5 million installs
  • 2% growth in third-party SaaS application installations performed by privileged users (administrators and super admins)

Information that organizations worry about most includes:

  • 59% Intellectual Property and Confidential Information
  • 19% PCI DSS data
  • 13% PII data e.g. social security numbers
  • 5% Objectionable content for CIPA compliance- e.g. curse words, harassment
  • 4% PHI/healthcare related data such as medical conditions, prescription drug terminology, patient identification numbers or Compliance

CloudLock Methodology

Cloudlock bases findings on anonymized usage data over 2014 and 2015

  • 77,500+ Apps
  • 750Million Files
  • 6 Million Users

The full report can be found here.

Cloud Security: What Higher Education Needs to Know

Cloud Security: What Higher Education Needs to Know
Cloud Security: What Higher Education Needs to Know
by Ellucian

2015 Security Predictions

symantec_7m2p1

The full article can be found here.

The costs of a cloud data breach revealed.

A summary of the Data Breach: The Cloud Multiplier Effect” survey from Ponemon sponsored by Netskope is below.

The survey reveals how the risk of a data breach in the cloud is multiplying. This can be attributed to the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices.

Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services.

  • 51% say on-premise IT is equally or less secure than cloud-based services
  • 66% of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information
  • 64% believe it makes it difficult to secure business-critical applications

A lack of knowledge about the number of computing devices connected to the network and enterprise systems, software applications in the cloud and business critical applications used in the cloud workplace could be creating a cloud multiplier effect. Other uncertainties identified in this research include how much sensitive or confidential information is stored in the cloud.

For the first time, Ponemon attempt to quantify the potential scope of a data breach based on typical use of cloud services in the workplace or what can be described as the cloud multiplier effect. The report describes nine scenarios involving the loss or theft of more than 100,000 customer records and a material breach involving the loss or theft of high value1 IP or business confidential information.

When asked to rate their organizations’ effectiveness in securing data and applications used in the cloud.

  • 51% of respondents say it is low
  • 26% rate the effectiveness as high. Based on their lack of confidence
  • 51% say the likelihood of a data breach increases due to the cloud

Key takeaways from this research include the following:

Cloud security is an oxymoron for many companies.

  • 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment
  • 69% believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud

Certain activities increase the cost of a breach when customer data is lost or stolen.

An increase in the backup and storage of sensitive and/or confidential customer information in the cloud can cause the most costly breaches. The second most costly occurs when one of the organization’s primary cloud services provider expands operations too quickly and experiences financial difficulties. The least costly is when the use of IaaS or cloud infrastructure services increases.

Certain activities increase the cost of a breach when high value IP and business confidential information is lost or stolen

Bring Your Own Cloud (BYOC) results in the most costly data breaches involving high value IP. The second most costly is the backup and storage of sensitive or confidential information in the cloud increases. The least costly occurs when one of the organization’s primary cloud providers fails an audit failure that concerns the its inability to securely manage identity and authentication processes.

Why is the likelihood of a data breach in the cloud increasing?

Ideally, the right security procedures and technologies need to be in place to ensure sensitive and confidential information is protected when using cloud resources. The majority of companies are circumventing important practices such as vetting the security practices of cloud service providers and conducting audits and assessment of the information stored in the cloud.

The findings also reveal that 55% do not believe that the IT security leader is responsible for ensuring the organization’s safe use of cloud computing resources. In other words, respondents believe their organizations are relying on functions outside security to protect data in the cloud.

  • 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted for security before deployment
  • 63% believe there is a lack of vigilance in conducting audits or assessments of cloud-based services
  • 69% of respondents believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud

There is a lack of confidence in the security practices of cloud providers

Respondents are critical of their cloud providers’ security practices. First, they do not believe they would be notified that the cloud provider lost their data in a timely manner. Second, they do not think the cloud provider has the necessary security technologies in place.

  • 72% of respondents do not agree their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information
  • 71% of respondents fear their cloud service provider would not notify their organization immediately if they had a data breach involving the loss or theft of customer data.
  • 69% of respondents do not agree that their organization’s cloud service use enabling security technologies to protect and secure sensitive and confidential information
  • 64% say these cloud service providers are not in full compliance with privacy and data protection regulations and laws

Lack of visibility of what’s in the cloud puts confidential and sensitive information at risk

The number of computing devices in the typical workplace is making it more difficult than ever to determine the extent of cloud use. According to estimates provided by respondents, an average of 25,180 computing devices such as desktops, laptops, tablets and smartphones are connected to their organization’s networks and/or enterprise systems.

Ponemon asked respondents to estimate the percentage of their organizations’ applications and information that is stored in the cloud. They were also asked to estimate the percentage of these applications and information that are not known, officially recognized or approved by the IT function (a.k.a. shadow IT).

30% of business information is stored in the cloud but of this, respondents estimate 35% is not visible to IT. This suggests that many organizations are at risk because they do not know what sensitive or confidential information such as IP is in the cloud.

What employees do in the cloud?

  • 44% of employees in organizations use cloud-based services or apps in the workplace
  • 53% use their personally owned mobile devices (BYOD) in the workplace
  • 50% of these employees use their own devices to connect to cloud-based services or apps.

Do certain changes in an organization’s use of cloud services affect the likelihood of a data breach?

  • 17% say the use of cloud-based services significantly increases
  • 34% say it increases the likelihood of a data breach. Ponemon define a material data breach as one that involves the loss or theft of more than 100,000 customer records or one that involves the theft of high value IP or business confidential information.

Calculating the economic impact of a data breach in the cloud.

Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving customer records. These calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following four steps:

  • First, drawing upon Ponemon Institute’s most recent cost of data breach study. Ponemon determine a cost of $201.18 dollars per compromised record.
  • Second, based on a data breach size of 100,000 or more compromised records in the survey and using the unit cost of $201.18 times 100,000 records. Ponemon calculate a total cost of $20,118,000
  • Third, from the survey results Ponemon extrapolate the average likelihood of a data breach involving 100,000 or more questions at approximately 11.8% over a two-year period.
  • Fourth, multiplying the estimated likelihood or probability of a data breach at 11.8% times the total cost of $20,118,000 Ponemon calculate a baseline expected value of $2.37 million as the average of what an organization would have to spend if it had a data breach involving customer records lost or stolen in the cloud.

Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving high value IP. Once again, these calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following steps:

  • First, drawing upon Ponemon Institute’s IT security benchmark database consisting of 1,281 companies compiled over a 10-year period, Ponemon estimate an expected value of $11,788,000.
  • Second, based upon the estimates provided by respondents Ponemon extrapolate the likelihood of a data breach involving the theft of high value information at 25.4%.
  • Third, multiplying the estimated likelihood or probability of a data breach at 25.4% times the total cost of $11.788 million Ponemon calculate a baseline expected value of $2.99 million as the average economic impact for organizations in our study.

What can cost an organization the most when it has a data breach involving the loss or theft of IP? The most costly scenarios involve the growth in the number of employees using their own cloud apps in the workplace for sharing sensitive or confidential information (a.k.a. BYOC) and an increase in the backup and storage of IP or business confidential information in the cloud.

The average costs to deal with these two types of data breaches are $5.38 million and $4.93 million, respectively.

Private Cloud Security Keeps IT Up At Night

Catbird_Survey_Infographic

What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

Ponemon Institute has released its CA Technologies sponsored study “The Identity Imperative for the Open Enterprise: What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

They surveyed 1,589 IT and IT security practitioners and 1,526 business users with more than 1,000 employees in United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom to understand current trends in Bring your Own Identity or BYOID, which is defined as the use of trusted digital or social networking identities.

  • 74% of the IT users surveyed report to the CIO
  • 15% report to the CISO
  • 55% of the business users in this research report to the lines of business leader
  • 10% report to the marketing officer 

The majority of respondents in both groups have high levels of interest in BYOID, but IT users and business user groups have different views about the perceived potential value of BYOID. 

  • IT users view BYOID primarily for fraud reduction, risk mitigation and cost reduction
  • Business end users are more interested in how BYOID can streamline customer’s experience and assist in targeted marketing campaigns.

Some of these differences can be expected because of the different job responsibilities of each group. These differences do not necessarily portend conflict, but rather show the need for collaboration between IT and the business functions to yield maximum benefits for any organisation deploying a BYOID system. By developing a cross-functional BYOID strategy around several well-defined use cases, organisations can differentiate themselves from competitors and further grow their business.

Key finding of the study are:

The Application Economy Drives BYOID Interest

In today’s application economy, organisations need to securely deliver new apps to grow their business quickly. This can increase IT risks, which puts a premium on an organisation’s ability to simplify the user experience without sacrificing security. Using an existing digital or social identity issued by a trusted third party to access applications can help organisations meet the need for simplicity, security and a positive customer experience.

  • 67% of IT users say the primary value of BYOID is from strengthening the authentication process
  • 54% from reducing impersonation risk
  • 79% of Business users believe the BYOID value comes from delivering a better customer experience 76% believe it is from increasing the effectiveness of marketing campaigns

While IT sees value primarily in risk mitigation/cost reduction, business users see the value of BYOID in improving the consumer experience to increase customer loyalty and generating new revenue streams. This underscores the need for IT and business collaboration to address the challenge that today’s organisations face: how to secure the business while simultaneously empowering

Mobile and Web Users Drive BYOID

Today’s IT organisations must deliver secure access to a highly distributed and growing user population. These users expect to access information anywhere, anytime from multiple devices. This is changing how user identities should be managed and is affecting the demand for BYOID.

When IT practitioners and business users were polled on their level of interest in accepting identities for different user populations such as job prospects, employees, contractors, retirees, website customers or mobile customers, mobile and web customers received the most interest, far exceeding that of the other populations.

  • 50% of IT respondents and 79% of business respondents have very high or high interest in BYOID for website user populations
  • 48% of IT respondents and 82% of business respondents have very high or high interest in BYOID for mobile user populations

BYOID Requires Security Enhancements to Drive More Adoption

While the survey results indicate interest in BYOID from both IT users and business users, both groups identified features that could contribute to broader BYOID adoption.

When asked which features would most likely increase BYOID adoption within their organisation;

  • 73% of IT users’ top features are identity validation processes
  • 66% have multi-factor authentication as the top feature
  • 71% of Business users say both identity validation processes and simplified user registration are the most popular features for increasing adoption.

The study also indicates a high level of interest for some level of accreditation of the identity providers

  • 59% of IT saying it is essential or very important
  • 21% saying it is important
  • 27% of business respondents say accreditation is essential or very important with 48% believe it’s important

.

Perspecsys surveyed 117 attendees of InfoSec Europe Conference 2014 on the opinions of security of their data stored in the cloud.

Key findings from the study include:-

  • 80% of InfoSec Europe attendees use some sort of cloud applications
  • 62% of organizations believe using a European based cloud is easier from a regulatory and compliance perspective
  • 51% of respondents claimed that they do not fully trust U.S. based clouds

Many IT departments do not trust U.S. based clouds:-

  • 47% believe their data is more secure contained in European based versus U.S. based clouds
  • 62% believe that negativity toward U.S. based clouds is justified, based on reports of the NSA having visibility into this data
  • 59% do not believe that European based government agencies conduct practices to the same extent as the NSA

See the Infograph here.

BYOD, Cloud and the Internet are the top areas of concern for security threats.

A Dell global security survey reveals “the majority of IT leaders say they do not view these threats as top security concerns and are not prioritizing how to find and address them across the many points of origin”.

Key findings of Dell’s research include:

  • 37% ranked unknown threats as a top security concern in the next five years
  • 64% of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the United States, 85% said this approach is needed, contrasting with Canada at 45% followed by the U.K. at 43%
  • 78% in the Unites States think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector
  • 67% of survey respondents say they have increased funds spent on education and training of employees in the past 12 months
  • 50% believe security training for both new and current employees is a priority
  • 54% have increased spending in monitoring services over the past year; this number rises to 72% in the United States

Among the IT decision-makers surveyed, BYOD, cloud and the Internet were the top areas of concern for security threats.

BYOD. A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk.

  • 93% of organizations surveyed allow personal devices for work. 31% of end users access the network on personal devices (37% in the United States)
  • 44% of respondents said instituting policies for BYOD security is of high importance in preventing security breaches
  • 57% ranked increased use of mobile devices as a top security concern in the next five years (71% in the U.K.)
  • 24% said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches

Cloud. Many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications. Survey findings prove these stealthy threats come with high risk.

  • 73% of respondents report their organizations currently use cloud (90% in the United States)
  • 49% ranked increased use of cloud as a top security concern in the next five years, only 22% said moving data to the cloud was a top security concern today
  • In organizations where security is a top priority for next year, 86% are using cloud
  • 21% said cloud apps or service usage are the root cause of their security breaches

Internet. The significance of the unknown threats that result from heavy use of Internet communication and distributed networks is evidenced by

  • 63% of respondents ranked increased reliance upon internet and browser-based applications as a top concern in the next five years.
  • More than one-fifth of respondents consider infection from untrusted remote access (Public Wifi) among the top three security concerns for their organization
  • 47% identified malware, viruses and intrusions often available through web apps, OS patching issues, and other application-related vulnerabilities as the root causes of breaches
  • 70% are currently using email security to prevent outsider attacks from accessing the network via their email channel

76% of IT leaders surveyed (93% in the United States) agree that to combat today’s threats, an organization must protect itself both inside and outside of its perimeters.

The full Dell report can be found here.

Challenges to maintaining a strong security posture

A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos.  A summary of the study is below. 

Cyber security is often not a priority

  • 58% of respondents say that management does not see cyber-attacks as a significant risk
  • 44% say a strong security posture is not a priority.
  • Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
  • While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.

Senior management rarely makes decisions about IT security

Who is responsible for determining IT Security Priorities?

  • CIO 32%
  • 31% no one

Lack of in-house expertise hinders the achievement of a strong security posture

  • Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.

Security threats and attacks experienced

“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months

  • 42% of respondents say they were
  • 33% are unsure
  • 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
  • Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.

Data breach incidents are known with greater certainty

More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.

More than half of respondents say their organization has had a data breach

  • 51% Cited is a third-party mistake or negligent employee or contractor
  • 44% cannot identify the root cause.

Most organizations say cyber-attacks are increasing or there is no change

  • 76% of respondents say their organizations face more cyber-attacks or at least the same
  • 18% are unable to determine

Most organizations see cyber-attacks as becoming more sophisticated

  • 56% say cyber-attacks are more sophisticated
  • 45% say they are becoming more severe
  • 28% of respondents are uncertain if their organizations are being targeted
  • 25% are unsure if the attacks are more sophisticated
  • 23% do not know if these attacks are becoming more severe.

The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.

Disruptive technology trends

The cloud is important to business operations

  • 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
  • 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
  • 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services

The use of cloud applications and IT infrastructure is not believed to reduce security

Effectiveness

  • 45% of respondents say the cloud is not considered to have an affect on security posture
  • 12% say it would actually diminish security posture
  • 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected

The use of mobile devices to access business-critical applications will increase

  • 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
  • 69% of respondents expect this usage to increase over the next 12 months.

While respondents do not seem to be worried about cloud security, mobile device security is a concern.

  • 50% of respondents say such use diminishes an organization’s security posture
  • 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.

BYOD also affects the security posture

  • 26% of mobile devices owned by employees are used to access business-critical applications.
  • 70% of respondents either expect their use to increase or stay the same
  • 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD

BYOD is a concern for respondents

  • 32% say there is no affect on security posture
  • 45% of respondents believe BYOD diminishes an organization’s security effectiveness.

Effectiveness of security technologies

The majority of respondents have faith in their security technologies

  • 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
  • 23% are unsure

Big data analytics and web application firewalls are technologies growing in demand

Today, the top three technologies in use are:

  1. Antivirus
  2. client firewalls
  3. endpoint management

They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.

The cost impact of disruptions and damages to IT assets and infrastructure

Damage or theft to IT assets and infrastructure are costly

  1. 1 the cost of damage or theft to IT assets and infrastructure
  2. 2 the cost of disruption to normal operations

The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.

Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197

The uncertainty security index

The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:

  • Did their organization have a cyber-attack during the past year?
  • Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
  • Are the root causes of these data breaches known?
  • Are the cyber-attacks against their organization increasing or decreasing?
  • Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
  • Do they understand the nature of advanced persistent threats (APTs)?
  • Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
  • Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture

Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).

U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.

Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.

An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.

Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.

The five cloud personas

NTT Integralis have produced a report highlighting the acceptance of Cloud Solutions.  The full report can be found here.  

The report characterises organisations as fitting five cloud ‘personas’ defined by their level of enthusiasm for cloud computing and maturity of adoption.

Ranging from Embracers at one end of the scale (very active in new technologies for over three years) to ‘Controllers’ at the other (characterized by their lack of cloud deployments), the personas also include Accepters, Experimenters and Believers.

The five cloud personas

  1. The Embracer – using cloud for 3+ years, very active in seeking out new technologies, dedicates over half budget and is very likely to see an increase in revenues and profits from cloud
  2. The Believer – very likely to actively seek out new technologies and to have moved the majority of services into the cloud over the next year. Critical to the deployment of services with a third of budget allocated
  3. The Experimenter – likely to experiment with new technologies and to move the majority of services into the cloud in the next year. Used in half or more departments with a quarter of budget dedicated to cloud
  4. The Accepter – adopted cloud in the past two years and most likely to adopt technology when there is a clear business case. Cloud is not central to IT strategy
  5. The Controller – least likely to be using cloud and emerging technologies, more reliant on data centres. Cloud is not currently part of their IT strategy

For them to have completed the survey the respondents must have at least understood the concept of the “Cloud” which is a step in the right direction.

3 simple tips to improve security in the cloud

In Sophos’s 2013 Security Threat Report they provided 3 tips on how to be more secure when using the cloud.

The tips are simple but straight to the point so I thought I would share them.

  1. Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits. 
  2. Use application controls to block or allow particular applications, either for the entire company or for specific groups. 
  3. Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data. You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else. Should your web key go missing for some reason, maybe the user simply forgot the password, the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.

.

 

Based on ISC2 survey, PraetorianGuard have produced an excellent Infographic on Infromation Security in the workforce.

Q&A on Information Security Workforce

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: