The unprecedented shock to world markets in the wake of the COVID-19 pandemic will likely permanently change the way we work. Millions must work from home, and businesses are scrambling to find ways to maintain productivity.
The shift to utilising a completely remote workforce has been relatively seamless for some companies and utterly chaotic for others. Adding to the chaos, cybercriminals are targeting organisations of all types with coronavirus-related phishing campaigns and other types of malware. Most companies cannot afford to fall victim to a cyberattack in the current business environment, which is why prioritising your cloud security risk assessment has never been more important.
Surging into the cloud
The rapid opening of cloud configurations to enable remote workforces is happening — because it must happen. Some organisations are better positioned from a people, process, and infrastructure perspective than others and are taking more responsible approaches to setting up fully remote cloud-based infrastructures. Unfortunately, others don’t know where to start, don’t completely understand the threats that come with a haphazard cloud migration, or lack the people, processes, and infrastructures to do so in a way that maintains or enhances their security postures.
Among the Fortune 500 and other global organisations, the companies that are perhaps most resilient to future attacks are those that have already suffered — think Capital One, Target, Experian, and other victims of high-profile data breaches. Large public breaches tend to drive the investment and prioritisation required to emerge with an improved security posture afterwards. Companies large and small — in nearly every industry — that have already paid high prices for letting data fall into the wrong hands are typically eager to ensure that it doesn’t happen twice.
Others don’t know what they’re missing. In particular, executives who haven’t closely followed these cyberattacks might mistakenly assume that all were carried out by shadowy hacking organisations or malevolent foreign governments. The reality is that many were caused by the ignorance or animosity of internal actors. In the aforementioned Capital One case, for instance, it was purportedly an Amazon Web Services employee who created a tool to exploit cloud misconfigurations and steal data from the bank and dozens of other organisations.
Whose fault is it, anyway?
When it comes to accountability in the cloud, service providers like Amazon and users like Capital One have operated according to what many call the “shared responsibility model.” In short, the former handles infrastructure security and the latter handles configuration of the tools and resources being purchased.
Unfortunately, many users don’t have the knowledge or skills to effectively handle their end of the bargain, and many more don’t even know what their end of the bargain entails. That’s why firms like Gartner predict that 95% of cloud security issues will be the fault of users. Without a proper, periodic security risk assessment program in place, misconfigurations
become far more likely. Of course, that doesn’t mean that providers will be immune to repercussions.
A recent lawsuit in California, Barnes v. Hanna Andersson, LLC, is significant for a couple of reasons. For starters, it’s possibly the first data breach class action ever filed that alleges violations of the recently enacted California Consumer Privacy Act. Moreover, the suit names Salesforce as a co-defendant alongside Hanna Andersson, a high-end children’s clothing retailer. Regardless of the outcome, the case suggests that the shared responsibility model needs to be reevaluated and shows that new legislation can and will be used to prosecute companies that don’t properly secure customer data.
The time is now
Most cloud service providers — and particularly Salesforce — do a great job of building several layers of security into their platforms. However, tools like Salesforce can become significantly more complex as you tailor them to meet your specific business needs. Their potential for customisation virtually begs developers to tinker with and build on top of them, but without the aforementioned periodic security reviews by personnel or providers with critical security expertise, misconfigurations are likely. That leaves your entire network vulnerable.
Furthermore, these platforms often make it ridiculously easy to store highly sensitive data, and just as easy for internal employees to access it — far too often that access privilege is unintentional. If you haven’t completed a thorough security risk assessment, perhaps because you’re too busy trying to predict how the new coronavirus will impact your business next, you may find yourself dealing with another crisis sooner rather than later. With that in mind, here are the three biggest reasons for completing your assessment quickly.
1. You don’t know what you don’t know. Many technology leaders aren’t even aware of what data they’re storing in cloud-based platforms. If you don’t know what you have to lose, it is not possible to access the adequacy of the security controls that protect it.
2. Compliance is here. Even companies in industries that aren’t highly regulated will be held accountable by far-reaching domestic legislation like the General Data Protection Regulation and a growing list of international regulations. Three states in America (California, Maine, and Nevada) have passed data privacy legislation, and 15 others have introduced bills that seek to protect consumer data.
3. Internal breaches happen. You might trust your employees like family, but that doesn’t mean they need access to your company’s most valuable data. A thorough risk assessment that includes a review of your authentication model allows you to identify who has access to what information and what they can do with it.
The goal of any security risk assessment is to identify threats and vulnerabilities, the potential costs of leaving them unaddressed, and the likelihood of adverse effects. All cloud-based tools come with some level of risk, though not all come equipped with the same levels of built-in security. Your security assessment should be tailored to the technology you’re using. Understand the differences between software as a service, platform as a service, and infrastructure as a service, and then apply the right assessment to the right environment.