BreachExchange mailing list archives
The biggest threat to businesses is in their employees’ own hands
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Tue, 15 Dec 2015 16:48:46 -0600
Companies everywhere spend a lot of time focused on outside security threats like hackers and organised cybercrime groups. But the truth is that businesses’ greatest threat is in their employees’ own hands: mobile devices. The smartphones, tablets, and other tools that have become integral to our lives—both professionally and personally—are betraying us. Combating shadow BYOD needs to be every company’s next big priority. We live in an age where we’re constantly juggling our different devices and increasingly doing work on demand, calling up files on our phones in an airport, on a tablet at a meeting, or on our laptops when we work from home. I watched with interest as this shift in workplace norms took hold at my own company and many others, and I’ve been fascinated to watch, for years now, as sync-and-share services have evolved to make this change nearly effortless. In fact, now working remotely and on devices is something most of us take for granted. All our files are on all our devices and in the cloud, ready to be accessed anywhere, anytime. That’s great—until it isn’t. It’s a commonly cited fact that lost or stolen mobile devices are one of the primary causes of data breaches, but people still don’t appreciate the risk. Just recently, Lahey Hospital was required to pay $850,000 and enact a robust corrective plan for a HIPAA violation incurred after a laptop with unencrypted information was stolen. More than 3 million smartphones are stolen every year (and another 2 million are lost), and 40 per cent of employees use personal smartphones and tablets for work purposes, so the numbers add up. The device problem is more complex than mere employee carelessness. While popular cloud storage providers offer substantial security measures that encrypt and protect files on their servers, they weren’t designed to protect files synced to mobile devices. So when data does get pulled down to devices, you’re on your own. Every day, employees are syncing corporate files, patient records, and company IP to their devices to work from home, prepare for presentations, or meet with clients. If they even think about it (and to be honest, they probably don’t), they likely assume the cloud provider’s security extends to their synced files, too. It’s a reasonable assumption, but that oversight leaves thousands of files exposed on the cloud—often unbeknownst to their employers, who may not even be aware that this is a problem. I’ve worked with many CEOs and CTOs in the healthcare, finance, and legal industries, and they’re all curious about how to stop this plague. Data breaches are reaching an all-time high—so what can businesses do about it? Keeping a few practical steps in mind will make a world of difference to your company’s security: *1. Don’t crack down on the cloud, but to find ways to protect it instead* Denying your employees the ability to use mobile devices or sync files to the cloud is only bound to backfire when they find backdoor solutions and continue using the cloud anyway. Some 80 per cent of employees nationwide use unapproved cloud software on their work computers or personal mobile devices, which means that employers have no control over any of the data that software’s being used for. *2. Sanction an employee-preferred cloud provider* Eliminating BYOD won’t solve your problem, but making sure your company’s cloud use is consistent across the board will. Regaining control—without being overly controlling—is the first step. And knowing how your employees want to—and already do—use the cloud is vital. *3. Secure the cloud on mobile devices and laptops* Adding an extra layer of encryption to already existing cloud security does the trick. Encrypting at the file-level safeguards sensitive data before it ever reaches the cloud and after it leaves it, meaning that when a file is synced to a mobile device, it’s no longer vulnerable. More importantly, mobile device loss or theft is no longer your business’ largest threat. The files stay securely encrypted and only readable by intended users. It’s the way encryption should always work, everywhere. *4. Ensure you can block access from devices* The ability to block device access with the touch of a button is an important step to keeping company information safe. As soon as a device is reported lost or stolen, an administrator at the office can block access to it remotely. This is also key to keeping disgruntled ex-employees from sabotaging or leaking company files (which is a real threat!). Bear in mind, of course, that while wiping the data from a device can be helpful—it’s also time-consuming, depending on how much data is stored there. Revoking encryption keys, on the other hand, can be done instantly. *5. Get end-to-end audit trails* Keep an eye on company files by auditing who’s accessing files on any devices your employees are using. This is one feature a cloud provider won’t provide by default but that’s extremely useful. If you notice an unauthorised user, you can investigate the situation, block access, and stop a data breach before it’s too late. <inga () riskbasedsecurity com>By now, cloud usage in a workplace setting is practically inevitable. But until this device problem is fixed and the cloud can be used freely, mobile devices will continue to be a major risk. As IT leaders, we can do better.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- The biggest threat to businesses is in their employees’ own hands Inga Goddijn (Dec 16)