Without appropriate guardrails in place, businesses face heightened data exposure risks on the cloud.
In its 2023 Google Scanner Report, data security firm Metomic reveals that 42 per cent of approximately 6.5 million Google Drive files scanned were found to contain sensitive data that could put an organisation at risk of a data breach or cybersecurity attack. These data include employee data and spreadsheets containing passwords.
The rise of generative AI, machine learning, and other advanced cloud services has opened up new avenues for threat actors, presenting a wealth of valuable assets – such as sensitive and business critical data – to target.
Rich Vibert, CEO and founder of Metomic, identifies three common mistakes organisations make in protecting their data in cloud environments:
- Not using multi-factor authentication (MFA), which can leave SaaS apps vulnerable to unauthorised access
- Overly broad access permissions which result in employees gaining excessive access to folders and sensitive assets, thereby increasing the risk of data leaks
- Prolonged retention of sensitive data, which amplifies the potential for exposure and misuse
|
Companies who want to fully leverage the potential of the cloud should prioritise risk management and controls early in their cloud initiatives. This involves integrating risk considerations into the cloud planning process from the outset and establishing robust controls to protect data and applications. Neglecting this crucial step can result in dire consequences, including data breaches, business interruptions, regulatory violations and fines, and costly budget overruns. What’s worse: Organisations may fail to realise the expected business value from their cloud investments.
Safeguarding data
In August this year, US-headquartered car rental giant Avis with over 10,000 rental locations worldwide was hit by a data breach. It affected nearly 300,000 individuals, including over 34,000 residents in Texas. Customer information that were compromised include names, addresses, email addresses, phone numbers, driver’s licence numbers, and even credit card details.
As of now, Avis has yet revealed the full extent of the damage or how exactly the hackers managed to pull this off. While the company scrambles to do damage control, questions remain: Why was this sensitive data stored in such a vulnerable way? And what steps were – or weren’t – taken to protect it?
We’ve all heard the saying: “It is not a matter of if, but when.” Data protection needs to be top of mind for every business because a breach is not just a technical issue; it is a financial and reputational nightmare. When a company suffers a breach, it risks losing customer trust, facing regulatory fines, and suffering massive financial losses. For individuals whose personal information is exposed, the consequences can be even more devastating. Suddenly, their data is out in the open for cybercriminals to exploit, leading to identity theft and potentially fraudulent charges.
At the end of the day, it is up to organisations to step up and take responsibility for protecting the data they handle. They are the gatekeepers of personal information, and it’s their job to make sure it stays secure.
A proactive approach
So how can companies prevent data breaches? One way is through data breach prevention. Unlike data loss prevention, which focuses on preventing sensitive information from leaving the organisation’s security perimeter, this approach aims to secure data both internally and externally, whether at rest or in motion.
Think of data loss prevention like a guard at the door, making sure sensitive information doesn’t leave the company’s walls. Its goal is to keep data from slipping out, whether intentionally or accidentally.
On the other hand, data breach prevention is an active process – it safeguards sensitive information through continuous monitoring and assessment. This involves real-time, ongoing assessment of an organisation’s systems, networks, and data to promptly detect and respond to potential security threats, vulnerabilities, or anomalies.
Data breach prevention recognises the reality of today’s digital landscape, where traditional network perimeters are no longer enough. With the rise of remote work, cloud computing, and the explosion of connected devices, businesses face an increasingly complex array of cyberthreats. Stronger data leakage controls are needed.
Modernising security controls
In today’s rapidly evolving threat environment, traditional cybersecurity measures are not enough. Legacy security controls often work like a checklist: Once systems are “secured”, they’re left untouched until the next big update. But this static approach leaves companies exposed to new vulnerabilities and emerging attack vectors that can develop at a moment’s notice.
Continuous security validation flips that script.
Rather than waiting for an incident to occur or performing periodic audits, continuous validation actively tests a company’s security posture. It replicates real-world cyberattacks to identify weaknesses, providing actionable insights into how resilient the organisation’s defences are at any given time.
A prime example of the importance of modernising security controls comes from LV=, one of the UK’s oldest and largest providers of pensions, savings, insurance, and retirement products.
In 2021, LV= brought in a Big 4 accounting firm to assess their security posture and benchmark their practices against the NIST cybersecurity framework. The results were a wake-up call. It revealed that while LV= had invested in modern technology, their legacy security controls were insufficient for the current threat landscape.
For instance, the system still relied on signature-based antivirus controls, and the email gateway lacked awareness of contemporary threats. Additionally, there was no means to measure the effectiveness of security controls. Individual security measures, such as anti-malware solutions, were not fully integrated into the overall infrastructure. This means that the security team does not have a centralised view and could only respond reactively to issues like vulnerability disclosures. As a result, company executives were also unable to make data-driven security decisions.
A two-pronged approach
This realisation led to a complete overhaul of LV=’s security infrastructure.
The transformation began on the technical front with the implementation of Breach Attack and Detection Systems (BAS). These systems continuously monitor for security blind spots and provide ongoing security testing, ensuring that vulnerabilities are identified and addressed in real-time.
Next, a tool for continuous control monitoring was implemented, thereby allowing the LV= security team to build detailed dashboards highlighting coverage gaps in their security controls. The company also adopted a tool that evaluates the health and effectiveness of its cybersecurity controls, benchmarking its security posture against industry peers. Finally, LV= introduced next-generation anti-malware controls, a new email gateway, an updated web gateway, and a company-wide password manager to bolster its overall cyber resilience.
But securing the technical side was only half the battle. With the modernisation of its security tools complete, LV= turned its focus to the human element of security.
Recognising that human error continues to be a major weak link in many organisations’ defences, LV= implemented a dedicated phishing test and training programme to educate employees on identifying and handling phishing attempts.
Phishing, which typically involves malicious emails designed to trick individuals into revealing sensitive information or downloading malware, is a common method used by cybercriminals. While technology can detect and block many phishing attempts, it is essential for employees to serve as the first line of defence.
By merging cutting-edge tools with comprehensive employee training, LV= is creating a robust security posture that adapts to the complexities of modern cyber threats.
The experience of LV= underscores the necessity of a holistic approach to cybersecurity that encompasses both advanced technology and employee education.
As cyber threats evolve, organisations need to prioritise modernising their security controls and fostering a culture of awareness and vigilance among their workforce. By doing so, they can fully reap the full power of cloud and AI technologies for their business, while protecting sensitive data and instilling confidence among both customers and stakeholders.
For more information on NUS-ISS Executive Education Programme in Cybersecurity, visit here.
For more information on NUS-ISS Blended Learning Programme in Cybersecurity, visit here.