Three Reasons Companies Fail to Secure Cloud Data

Even with the major leaps made in recent years in the cloud and security industries, companies continue to make mistakes protecting data. From big bank data breaches to mobile malware, almost anyone can be compromised, on any device. There simply has to be a better way.

The first step is to understand the root causes of these data breaches. Cybersecurity Insiders is one of the most reliable sources for news and stories in the cybersecurity community. Recently they published their research into the security operations landscape with their 2019 Cloud Security Report, in partnership with (ISC)2. In the report, 72% of organizations experienced some cloud security incident in the past 12 months. 

Here are the main causes listed:

Exposed Data (27%)

By far the most frequent type of cloud security breach involves sensitive data being leaked or accessed by hackers. Typically, this is a backend issue where programmers or engineers fail to account for a certain feature or hole. Amazon, for instance, recently discovered that its Ring Video Doorbell Pro included a bug that allowed anyone to intercept the user’s home network. During the setup process, wi-fi network credentials could be leaked, as it was not using Amazon’s cloud services of an encrypted channel. Despite learning about the issue back in July, Amazon had only deployed the patch in early September. 

Other times, the company is simply negligent in protecting user information. Facebook has developed a notorious reputation with user data, implicated in the Cambridge Analytica scandal, which saw the information of millions of Facebook users shared with third-party companies. Recently the company was found to be storing passwords in plain text— which makes it easy for hackers to access and steal. 

Malware Infection (20%)

Even though it’s 2019, malware continues to be a major technological threat as it was in the early 2000s. In fact, malware today has only become smarter and stronger, using advanced techniques to remain undetected by detection methods. Last week alone, a new malware named QSnatch had infected over 7,000 network-attached storage (NAS) devices in Germany alone. The malware was able to modify the operating system scripts, prevent future firmware updates, and steal usernames and passwords. 

Malware can affect anyone from the most advanced government operations to the average web developer. Today, hackers are only getting smarter with how they bypass security and install on the latest firmware and technology. It’s vital to install some form of malware protection to at least cover the most simple malware. 

Account Compromise (19%)

Closely behind malware infections is the compromise of user accounts. Back in 2014, Yahoo discovered a data breach that reportedly compromised 500 million user accounts. A year prior, another 1 billion accounts were compromised. The truth came out in 2017, when the company admitted the attacks totalled to 3 billion user accounts— the largest data breach in history.

The problem isn’t limited to technology firms either. Earlier this month, Texas Health Resources, the largest faith-based health system in the state of Texas, filed 15 breach notifications. According to the report, a misconfiguration in the billing system lead to the compromise of 82,577 patients. Any system that uses an account and password system is prone to unauthorized attacks. 

Protecting Your Company From The Same Pitfalls

Now that you have some understanding of the threats that affect modern infrastructure, you can take the necessary precautions to avoid the same issues. 

Conduct a thorough review of your existing cybersecurity strategy – This is not something to put off until next year. If you hold any sensitive information of any kind, you owe it to your stakeholders and customers. The start of a solid strategy begins with a detailed review.

Hire trustworthy security professionals –  Don’t leave the hard work to the most tech-savvy person in the team. It’s best to get a true consultation from the experts. You may have to pay a premium, but that is the price of keeping your company safe and compliant. 

Educate your team – Ignorance breeds carelessness, and carelessness invites security threats. Make sure each individual on your company understands the basics of protecting their selves and the data they handle. This means keeping software secure, and locking down systems when not in use.

Destroy before disposal – One of the common ways companies are left at risk is when they improperly dispose old computers, servers, or storage equipment. They assume that throwing away a device means it cannot be accessed, but the reality is far different. Companies like Securis can ensure that your devices are properly disposed, and that your data is thoroughly destroyed. 

Don’t leave the fate of your company’s sensitive data and information up to chance. Begin reviewing your cybersecurity strategy today. Consult Securis for more information.

The State of Cybersecurity in 2020

Just two weeks shy of the new year, the US Navy announced a ban on TikTok, the popular video sharing app. Following the ban, service members will no longer be allowed to download the app on government-issued smartphones. Pentagon spokesman Lieutenant Colonel Uriah Orland said that the move was to “address existing and emerging threats.” 

Stories like this are not uncommon, and government entities are beginning to take more drastic steps in protecting society.

The Navy’s ban underscores just one sphere of cybersecurity threats that continue to pervade everyday life. Let’s review the biggest trends to watch for as we begin the new year.

Mounting Regulation

In addition to the TikTok ban, states all over are implementing new legislation that encourages higher levels of cybersecurity or protects end-user data and information. In 2019, at least 43 states and Puerto Rico collectively introduced close to 300 cybersecurity-related bills or resolutions.

For example. Starting January 1, 2020, California will begin enacting Assembly Bill No. 1906. The new law states that all connected device manufacturers must equip them with a “reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” 2020 will see the enactment of more of these proposed bills as well as some brand new proposals. 

Phishing Campaigns

Did you notice more fake emails this year from people claiming to be someone else? Just as people have wised up and cracked down on phishing emails, phishing companies have gotten smarter about their deception. They are able to collect far more private information, such as our browsing habits, our location, even the names of people close to us.

And much worse, their phishing tactics are no longer exclusive to email. Now, phishing via SMS and phone calls is growing in popularity. Based on a report by AIG, phishing is the top cyber insurance claim, accounting for almost one-quarter of all claims. 

Biometrics and “Passwordless” Authentication

In 2013, Apple introduced Touch ID, a smartphone unlocking mechanism that relied on reading the user’s fingerprint. In 2017, they added Face ID, a similar feature this time relying on facial recognition. And in 2019, more companies are beginning to implement some form of biometric or “passwordless authentication.”

HSBC, for instance, has already implemented a system that lets their customers verify their identity using “active” voice ID. Customers simply state “my voice is my password” during the call, and the system matches and analyzes the user’s voice to a previously recorded voice print. 

2020 will see more “passive” methods that offer more security. Instead of doing a voice print match, artificial intelligence will be able to process more natural, free-flowing speech, reducing the risk of impersonation or coercion. 

AI-Powered Defenses and Attacks

We’ve seen artificial intelligence in the medical industry, in entertainment, and soon we’ll see it in cybersecurity. 

On one side, we can see it predict and analyze malware and similar attacks with superhuman speed and precision. Already, 61% of enterprises say they cannot detect a breach without AI technology, and 48% say their AI cybersecurity budget will increase by an average of 29% next year. A single AI and a dedicated team can keep a company protected far more effectively than a whole division.

On the other hand, the same AI could counteract these security checks and develop a near-impossible-to-detect threat. Director of Strategic Threat at Darktrace, Marcus Fowler, believes that AI could make an attack as early as next year.

“If we haven’t seen it before we celebrate the arrival of the new year, 2020 undoubtedly holds the first AI-powered cyberattack,” Fowler said. 

Reimagining Third-Party Security

In-house security experts and engineers simply won’t cut it anymore. Third-party vendors are necessary in delivering a prime security experience. However, even third-party vendors are at risk.

There are a few reasons why. At times, vendors have non-stratified access to a business’s network, meaning there’s either total security access or none at all. Other times, companies are not privy to the access a vendor even has. Out of date policies and enforcement have also been listed as common causes for vulnerability. 

Privileged access management will become more crucial. Vendors with privileged access will need to explain what they have access to and why they need it. Speedy identification of a vendor’s access and compromisation will also be key to preventing critical attacks. 

Demand for Talent Will Exceed Supply

The writing has been on the walls for some time, but cybersecurity professionals continue to be in short supply. As many as two in three organizations around the world report that they have a shortage in IT security staff. 

In response, various IT tools are becoming indispensable parts of a cybersecurity strategy. These products can effectively allow a startup or team to manage various websites and applications’ security. 

Still, in 2020 it will become more important than ever to form a team of diverse experts, in the administrative, developer, and non-technical roles. Education should become a core part of the culture as new hires are brought on board. 

Despite the many dangers, pitfalls, and nightmares of cybersecurity, the good news is that our technology continues to evolve and expand, allowing us to fight previous challenges with greater ease and efficiency.

The question now becomes whether companies are determined to stay vigilant on their cybersecurity efforts. Unlike other aspects of a business, cybersecurity is not something that can be set and forgotten. It requires continuous research, frequent updates and audits, and a hardened resolve to provide the highest quality protection. Companies that do not take this seriously may find themselves in an uphill battle for consumer trust.

If you need to improve your IT security, make sure you contact us today to find out how we can help.