By Rich Turner, SVP EMEA, CyberArk
Cyber-criminals are motivated by a variety of different things. Some want to spy, some want to disrupt, and some want to steal. Their targets cover the entire spectrum, from individuals right up to nation-states. But of all victim types, large firms are the most frequent target of cyber-attacks, according to a 2020 report by Verizon. It’s not hard to see why.
Large businesses have large amounts of money flowing through them which, according to the same report, is a cyber-criminal’s most common motive. But corporates also hold other assets which can be monetised: greater and greater volumes of sensitive data and information. So it’s not surprising that 70% of all data breaches recorded by Verizon involved large organisations.
While the pandemic continues to change the way we work, how can IT teams at corporates protect their networks this year?
- Make cloud security a priority
There’s already plenty of conversation about whether the cloud will reach its peak this year. It’s easy to see why, given 92% of organisations’ IT environments are to some extent already in the cloud, according to an IDG report, and COVID-19 has accelerated cloud migration plans.
But all change, good or bad, brings new dynamics and new sets of diverse challenges with them. Cloud is no exception.
An increased attack surface is one of the implications of the complex nature of the cloud. When traditional network perimeters are removed, the question of accountability must be asked. Whose responsibility is it to secure data hosted in the cloud? Is it the cloud providers? Or the customers?
Misconfiguration of account privileges is one of the most common consequences of this misunderstanding and, by extension, one of the leading causes of data breaches. When default credentials aren’t reviewed, excessive permissions can allow standard users unnecessary access to sensitive data.
AI-powered automated tools that review user permissions and privileges can be of great use to IT teams trying to overcome this problem. They provide both a quick and effective way of discovering accounts with excessive privileges and removing any superfluous permissions for specific users.
- Secure third-party contractors
Research carried out last year discovered that 25% of British businesses use over 100 third-party vendors. Whether consulting services or supply-chain managers, outsourcing internal functions has become commonplace.
Many of these third-party services require access to internal resources and data to fulfil their obligations. Our research found that 90% of businesses allow third parties to access critical internal resources – sensitive assets that if disrupted or stolen would cause significant harm to the organisation.
This presents a problem for IT teams because responsibility for security is then passed to your third party partner. You may be able to trust your own security measures, policies and protocols, but can you trust theirs?
In fact, last year the flexible office space firm, Regus, suffered a breach due to this exact situation, with detailed employee performance information being leaked via a third party vendor. Regus had hired a vendor to audit its staff. The vendor’s security measures were weak and the data breach was discovered in an investigation by the Telegraph. The impact an event like this has on reputation, as well as a company’s finances, is deep.
This example is a warning to any business using third-party vendors. The privileged accounts of all external operators must be constantly managed and monitored. They must be secure, structured, and multi-levelled, granting third parties enough access to carry out their jobs without putting the firm at risk of a punishing data breach.
Advanced Security-as-a-Service packages are well worth consideration for businesses hoping to ease the burden of monitoring and management on their IT team.
- Make education part of security policy
The most evident challenge of 2020 was the transition into home offices from the traditional corporate workplace. IT teams were thrown into a maelstrom of consumer technology trying to connect to corporate data and assets. Whether via an employee’s Wi-Fi router or their personal laptop, the huge number of new devices introduced posed varying security risks.
This challenge will only continue in 2021. With the UK still under lockdown, a year in which we all work from home to a greater or lesser extent is easy to envisage. This way of working will have to be managed.
The approach many businesses take to this challenge adds to the problem. Far too many businesses are over-reliant on security policies to keep bad threat actors out of their networks. These are almost never enough by themselves. In fact, our December research found over 50% of UK employees ignore corporate security policies and in fact, actively take steps to circumvent them. More must be done.
A lack of user-friendly processes is a common reason security policies are not followed. Businesses may recognise the importance of security, but the processes implemented are too difficult for employees to use, creating friction in the user experience. In the end, people find shortcuts in the pursuit of efficiency and ease of use.
A balance must be struck to address this problem. Employees must first be educated on the importance of adhering to security policies, but in turn, IT teams must adopt tools and processes that help minimise disruption to the wider business.
Widescale cloud adoption, a proliferation of third-parties in the corporate ecosystem and remote work will continue to drive a shift in security. The landscape is never constant and will always change, but by following these tips, your corporate network will be better prepared to nullify incoming attacks.