Toward the end of 2019, information security professionals were inundated with op-eds, whitepapers, and water cooler conversations concentrated on cybersecurity predictions for 2020. Understandably, few foresaw a global pandemic that would shift over 75% of work in North America to be performed remotely. Instead of chasing new wild geese, now should be the time to refocus on the basics: Cyber-hygiene.
Basic Cyber-hygiene: if not now, then when?
As we’re navigating the security challenges of our increasingly remote workforces, I’ve observed a new trend in cybersecurity thought leadership. Our industry is flooded with articles concerned with the threat campaigns targeting cloud services and the complexities of properly defending our cloud ecosystems from threat actors. Indeed, these are important concerns that I don’t intend to downplay. But the endeavor to secure our enterprises’ data on cloud services is not a new one—cybersecurity professionals have been tasked with this duty for years.
What I believe will be key to overcoming the risks presented by our newly remote workforces is a steady commitment to some basic cyber hygiene. I encourage CISOs and their teams to resist the temptation to hyper-fixate on threat campaigns against the cloud, as these fixations draw their attention away from the block-and-tackle security practices they know better than to neglect.
I’m reminded of my time in the FBI’s cyber intelligence program, during which many conversations I was having with cybersecurity executives too often drifted toward anxieties about nation-state attacks and zero-day vulnerabilities. I didn’t want my enterprise colleagues to disregard these risks, but I urged them not to lose sight of the lapses in fundamental security best practices that were bound to expose them to greater risk over time.
Cyber-efficiency: bet on education, training, and policy enforcement
Both then and now, education, training, and policy enforcement should remain high on security leaders’ priority lists. This advice may not be in vogue in today’s news cycle. But consider how misguided your cybersecurity efforts may be if you’re preoccupied with potential threat campaigns against your cloud environments while your employees lack basic data security awareness and remain unconstrained by lax protocols.
Even during this rapid expansion of our remote workforces, CISOs should still be asking themselves these essential questions: Am I dedicating enough resources to my employees’ IT training? Are my third-party suppliers, partners, and vendors (most of which have seen their own workforces move remote) properly educated and prepared to protect my data? Do I have the wherewithal to enforce our security policies across our workforce?
Again, I don’t want to ignore the importance of our cloud ecosystems. Forecasts suggest that 85% of businesses will have the majority of their workloads in the cloud by the end of 2020. But instead of concentrating on threat actors targeting the cloud, ask how much you’re doing to address your employees’ negligent use of cloud services. Do my employees know how to safely use the cloud containers and cloud storage devices we offer to them? Am I putting my sensitive data in the hands of employees and third parties that don’t understand how to properly configure these services?
Focus where you can have the greatest impact
CISOs and other information security professionals won’t be the only ones asking these questions. Their CEOs and boards will be as well. A negligent employee or contractor is estimated to be the most common root cause of security incidents, costing their employers an average of $307,111 per incident. The data leaks that result from poor cyber hygiene are as much a business concern as they are a security concern. And all cybersecurity executives should be able to explain to their leadership how their organizations are preparing for these vulnerabilities.
Before dedicating too much of their valuable attention to the latest threat campaigns, cybersecurity teams should start where they can have the greatest impact: ensuring their employees and third parties are well prepared to use IT services in accordance with security policies. Cybersecurity executives must then take responsibility for verifying that their workforce hasn’t exposed sensitive data on any of the perimeters they touch. Now is the time to ask, Can I confirm the cloud containers my employees use are configured correctly? Do I know of all the services and devices my workforce is storing data on? What information are my employees putting on Google Drive, OneDrive, or Dropbox? Is my organization’s data exposed through my employees’ home network devices?
Nothing beats an educated workforce and enforceable cybersecurity policies
Helping information security teams answer these questions is how CybelAngel makes its greatest impact on customers. Because CybelAngel detects exposed data across cloud services, connected storage, and open databases, enterprises use CybelAngel to locate exactly where their workforce has leaked information. And by reducing time to awareness by over 70%, CybelAngel enables CISOs and their teams to remediate data leaks before they become full-blown breaches.
An educated workforce and enforceable cybersecurity policies will be paramount to overcoming the security challenges presented by this global pandemic. But when sensitive information inevitably makes its way onto exposed cloud storage or an unsecured connected device, CybelAngel stands ready to keep you informed of it. It would be our privilege to provide you with an Initial Exposure Report and to demonstrate how we can help you better protect your enterprise during this difficult time.