Crank Up Your Cloud Security Knowledge with These Upcoming Webinars

June 12, 2017 | Leave a Comment

By Hillary Barron, Research Analyst and CloudBytes Program Manager, Cloud Security Alliance

Whether you’re trying to make the move to cloud while managing an outdated endpoint backup, attempting to figure out how to overcome the challenges pertaining to developing and deploying security automation, or determining how and why you should build an insider threat program CSA has a webinar that can answer your questions and help set you on the right path.

June 13: 4 Lessons IT Pros Have Learned From Managing ​Outdated Endpoint Backup (Presentation by Aimee Simpson of Code42, Shawn Donovan of F5 Networks, and Kurt Levitan of Harvard University)

In this session, you’ll hear​ from IT professionals at F5 Networks and Harvard University, as well as​ a Code42 expert​ as they ​discuss:

  • Why all endpoint backup isn’t created equally.
  • How outdated or insufficient backup solutions leave you with gaps ​that put user data at risk.
  • What technical capabilities you should ​look for in your next ​backup solution.

 

June 15: Security Automation Strategies for Cloud Services (Presentation by Peleus Uhley of Adobe)

Security automation strategies are a necessity for any cloud-scale enterprise. There are challenges to be met at each phase of developing and deploying security automation including identifying the appropriate automation goals, creating an accurate view of the organization, tool selection, and managing the returned data at scale. This presentation will provide the details of various of open-source materials and methods that can be used to address each of those challenges.

 

June 20: How and Why to Build an Insider Threat Program (Presentation by Jadee Hanson of Code42)

Get a behind-the-scenes look at what it’s really like to run an insider threat program — a program in which you can take steps to prevent employees from leaking, exfiltrating, and exposing company information. This webinar will provide cloud security professionals with insider threat examples (and why you should care), recommendations for how to get buy-in from key stakeholders, and lessons learned from someone who has experienced it firsthand.

Who Touched My Data?

June 9, 2017 | Leave a Comment

You don’t know what you don’t know

By Yael Nishry, Vice President of Business Development, Vaultive, and Arthur van der Wees, Founder and Managing Director, Arthur’s Legal

Ransomware
IT teams generally use encryption to enable better security and data protection. However, in the hands of malicious parties, encryption can be utilized as a tool to prevent you from accessing your files and data. We have been aware of this kind of cyberattack for a long time, but the most recent attack by the WannaCry ransomware cryptoworm was extensive, global and on the front page.

Under any circumstance, a ransomware exploit is terrible for an organization. The preliminary impact can cause extensive downtime and may put lives and livelihoods at risk. However in the latest attack, several hospitals, banks, and telecom providers found their names mentioned in the news as well, suffering damage to their reputations and losing the trust of patients and customers alike. For a thorough summary of the events, we refer you to the many articles, opinions and other publications about the WannaCry ransomware attacks. This article covers the rarely discussed secondary effects of ransomware attacks.

Data exploits
What should you do if you discover your data has been encrypted by ransomware?

When there is a loss of data control, most IT teams immediately think of avoiding unauthorized data disclosure and ensuring all sensitive materials remain confidential. And indeed, these are sound measures.

However, what if you can retrieve your organization’s data because a decryption tool was made available by a third-party (experts recommend strongly against paying the ransom)? One may think that business can continue as usual and it can be assumed the data was not compromised or disclosed, right?

Who touched my hamburger?
Unfortunately, if no mechanism was in place beforehand to track if the retrieved data maintained its integrity during the ransomware timeframe, one simply does not know. Thus it will not be clear whether it was modified, manipulated, or otherwise altered. Are you willing to still eat that hamburger?

Furthermore, one does not know whether a copy has been made, either in part or as a whole. And, if a copy was made, IT teams cannot track where it is, and whether it left regulatory data zones such as the European Union or European Economic Area.

Secondary effect of ransomware
The loss of control described above is the secondary effect of a ransomware attack, which may be even more far-reaching than the original wave. With very little information about what happened to the data during the attack, it is up to the respective data controller or data processor to perform analysis on the long-term impact to the data, data subjects, and respective stakeholders.

Under the Dutch Security Breach Notification Act (WMD), established in 2016, data integrity breaches are a trigger to initiate the notification protocols, in the same way as confidentiality breaches and availability breaches are triggers. Under Article 33 of the General Data Protection Regulation (GDPR), loss of control is also a trigger to notify the data protection authorities.

In most cases it will be very difficult to demonstrate accurately that the breach has not resulted in a risk to the rights and freedoms of the respective natural persons (or as set forth in both the GDPR and WMD, the breach must not adversely affect the data, or adversely affect the privacy of the data subject), obligating the data controller to notify the authorities.

Besides notification, what other measures should be put in place to monitor irregular activities, and for how long? The window of liability for any identity thefts resulting from the breach will remain open for quite a while, so mitigating risk should be on the top of the priority list.

Encryption
Encrypting data and maintaining the encryption keys on site would not have spared an organization from falling victim to such an attack. However, it would enable the exposure to be significantly reduced. This would allow an organization to convey, with confidence that, by maintaining the original encryption keys on-premises, they were in complete control of the data, even when it was encrypted by the attackers using another set of keys.

Accountability
The GDPR is aimed to give data control back to the data subjects. Encryption is mentioned four times in the GDPR, which will enter force within one year, on May 25, 2018. It is explicitly mentioned as an example of a security measure component that enables data controllers and data processors to meet the appropriate level of state-of-the-art security measures as set forth in Article 32 of the GPDR. In real-life examples, such as WannaCry and similar ransomware hacks, it can also make the difference between control and loss of data, and the associated loss of trust and reputation.

The GDPR it is not about being compliant but about being accountable and ensuring up-to-date levels of protection by having layers of data protection and security in place to meet the appropriate dynamic accountability formula set forth in the GDPR. Continuously.

So, encryption can not only save embarrassing moments and loss of control after the ransomware or similar attacks, but it can also help organizations to keep data appropriately secure and therefore accountable.

My Second Attempt at Explaining Blockchain to My Wife

June 7, 2017 | Leave a Comment

I tried explaining blockchain to my wife and here’s what happened…

By Antony Ma, CTO/PowerData2Go, Founding Chairman/CSA Hong Kong and Macau Chapter, and Board Member/CSA Singapore Chapter

I introduced my wife to Python around nine months ago, and now she’s tinkering and has drawn a tortoise on her MacBook. After spending more time on geeky websites, she became more inquisitive, asking me one day, “Can you explain to me what blockchain is and why it is a game changer?” It sounded like a challenge!

With my 15 years of experience in banking, audit, and IT security, I should be able to nail this. I opened my mouth and mentioned some terms I’ve read on blogs and news websites—distributed ledger, low transaction cost, no central computer, smart contracts, etc. After 45 minutes and some drawings, she asked, “Why the fuss? Is it like a database with hash?”

It looked like I was able to explain what blockchain is but failed to justify why it is ground-breaking. Her question on how a distributed ledger can profoundly transform the Internet was unanswered.

That question also struck me. Despite reading so many articles on the importance of blockchain and how it could change our digital life, not many articles can explain in layman’s term how the technology is so different from other Internet tech and why it’s a paradigm shift.

I started reviewing my readings, and here now is my second attempt at explaining blockchain in understandable terms.

The reason for blockchain
It all started in the 1970s when military research labs invented TCP/IP (Transmission Control Protocol/Internet Protocol), the foundation of the Internet with a high priority on resilience and recoverability. Researchers could add/remove nodes to/from the system (following some protocols) without affecting other network components.

Trust (or simply security) was secondary. If your enemy could cripple your network with one strike, protecting the system against espionage or infiltration was irrelevant. Flexibility and resiliency were implemented first, but came as costs. A lack of security design exposed the network and data transmitted on it to spoofing and wiretapping.

Confidentiality and integrity features were not mandatory in the first version of the Internet. Most of the security features we are using today are patches on a design that was focused on availability and recoverability. SSL (Secure Sockets Layer), OTP (One-Time Password), and PKI (Public Key Infrastructure) were adopted after the Internet started proliferating.

Elements of trust such as authenticity, accuracy, and non-reversible records are hinged on a non-security-minded design (just like when the first version of the Internet was built) and decades of patching. The Internet is virtual and intangible because the integrity of information is not guaranteed. You don’t know whether you are chatting with a dog. Trust on the Internet relies on information security controls deployed and their effectiveness.

A software bug or control lapse may allow anyone with access to a system to make unauthorized changes. For example, a bank staff may exploit a known vulnerability and edit records in the credit score database. As it was already proven that no security control is 100-percent effective, trust in cyberspace is built on multi-layers of data protection mechanisms.

We do not trust cyberspace since information integrity is not guaranteed. Because of a lack of trust between different parties on the Internet, there are many intermediaries trying to use physical world verifications to secure or protect transactions. Since the virtual world is intangible and alterations are sometimes hard to detect, when security controls fail users need to go back to the physical world to fix it either by calling a call center or even visiting an office.

Consider this example now from Philipp Schmidt:

In Germany, many carpenters still do an apprenticeship tour that lasts for no less than three years and one day. They carry a small book in which they collect stamps and references from the master carpenters with whom they work along the way. The carpenter’s traditional (and now hipster) outfit, the book of stamps they carry, and(if all goes well) the certificate of acceptance into the carpenter guild are proofs that here is a man or woman you can trust to build your house.

Being in control doesn’t mean it would be easy to lie. Similar to the carpenter’s book of references, it should not be possible to just rip out a few pages without anyone noticing. But being in control means having a way to save credentials, to carry them around with us, and to share them with an employer if we chose to do so.

You may say it is old-fashioned or outdated, but carpenters trust it—even now. Their trust is built on their understanding that the paper cannot be easily tampered with without leaving a trace. Each page is linked to the next and alterations are easily detected without relying on a third party. With the law of physics, there is no need for an intermediary.

The virtual and physical worlds
Blockchain is the new form of paper in cyberspace, which breaks the wall between the virtual and the physical world. Records created using blockchain technology are immutable and do not require other systems or entities for verification. The immutable properties of blockchain are defined by mathematics, similar to how paper follows the law of physics.

An interaction that was recorded using the blockchain system cannot be altered, but you can add a new record that supersedes the previous one. Both the first and the new versions are part of the chain of records. Blockchain is a technology that defines how the chain of records is maintained. Integrity is an inherent part of a blockchain record.

How does blockchain achieve immutability?  The Register has a simple explanation:

In blockchain, a hash is a cryptographic number function which is a result of running a mathematical algorithm against the string of data in a block and results in a number which is entirely dependent on the block contents.

What this means is that if you encounter a block in a chain of blocks and want to read its contents you can’t do it unless you can read the preceding block’s contents because these create the starting data hash (prefix) of the block you are interested in.

And you can’t read that preceding block in the chain unless you can read its preceding block as its starting data item is a hash of its preceding block and so on down the chain. It’s a practical impossibility to break into a block chain and read and then do whatever you want with the data unless you are an authorized reader.

Bringing properties of the physical world into the virtual world is why blockchain is ground-breaking.

For my next post, I will write about the physical properties that blockchain creates and how they are related to trust.

Antony Ma received CSA Ron Knode Service Award in 2013. Follow him on Twitter at https://twitter.com/Antony_PD2G.

Office 365 Deployment: Research Suggests Companies Need to “Think Different”

June 2, 2017 | Leave a Comment

Survey shows what companies expected and what they found out

By Atri Chatterjee, Chief Marketing Officer, Zscaler

It’s been six years since Microsoft introduced Office 365, the cloud version of the most widely used productivity software suite. In those years, Office 365 has earned its place as the fastest-growing cloud-delivered application suite, with more than 85 million users today, according to Gartner. Even so, it’s just getting started. The use of Office 365 represents a fraction — just seven percent — of the Office software in use worldwide, and there is tremendous growth on the horizon. That means there is still plenty of room for enterprises of all sizes to capitalize on the agility benefits of Office 365, but getting the deployment right is the key to success.

Understanding the Office 365 deployment experience
We know that Office 365 brings about considerable changes in IT so we teamed up with market research firm TechValidate to do an independent survey of enterprises that had deployed Office 365 or were in the process of doing so. The results have been illuminating.

We surveyed 205 enterprise IT decision makers from a variety of industries in North America. More than 60 percent of them were managers of IT, 25 percent were at the director or VP level, and 14 percent were C-level. In our questions, we hoped to learn about their experiences in three broad categories:

  1. What they did to prepare for their Office 365 adoption
  2. How the implementation went, given their preparation
  3. What they learned and what are they going to do going forward

Key results

Preparation for Office 365 was “old school” and fell short
A majority of companies surveyed used traditional approaches to prepare for the increased network demands of Office 365. Many increased bandwidth capacity of their existing hub-and-spoke network by over 50 percent in preparation for deployment, and an even greater majority (65 percent) upgraded their data center firewall appliances. And while most companies estimated big budget increases in network expenditures, almost 50 percent had cost overruns after deployment.

Fewer than one in three companies implemented a network architecture involving local breakouts to the Internet from branch offices.

Most implementations fell short on user experience due to bandwidth and latency
Even after bandwidth increases, latency was a big problem, with 70 percent reporting weekly problems and 33 percent reporting daily problems. Firewall upgrades did not help. Sixty-nine percent of those who upgraded firewalls still had latency problems. Ultimately, this results in issues with user experience, with almost 70 percent of C-level executives citing these issues as a top concern.

Lessons learned
Seventy percent of the respondents are now looking to do something different to their existing network architecture and deploy a direct-to-Internet connection to improve performance and user experience.

In addition, 85 percent reported problems with bandwidth control and traffic shaping, and are now looking for solutions to better control network traffic so that business applications like Office 365 are not starved by consumer traffic to Facebook, gaming sites, and streaming media.

More data, insight, and recommendations
The full report provides a lot more data in each of these areas, and it offers key recommendations based on the real-world experiences of over 700 enterprises that have been through the transition to Office 365. You can also check out a summary of the findings on this infographic.

If you are thinking about embarking on such a journey, here are some additional resources to help you plan.

Want To Empower Remote Workers? Focus On Their Data

May 31, 2017 | Leave a Comment

By Jeremy Zoss, Managing Editor, Code42

Here’s a nightmare scenario for IT professionals: Your CFO is working from the road on a high-profile, highly time sensitive business deal. Working late on documentation for the deal, a spilled glass of water threatens everything. His laptop is fried; all files are lost. What options does your organization have? How can you get the CFO these critical files back, ASAP, when he’s on the other side of the country?

Remote user downtime has high costs
It’s not just traveling executives that worry IT pros. Three-quarters of the global workforce now regularly works remotely, and one in three work away from the office the majority of the time. Across every sector, highly mobile, on-the-go users play increasingly important roles. When these remote users lose, destroy or otherwise corrupt a laptop, the consequences can be serious.

  • On-site consultants: Every hour of downtime is lost billable time.
  • Distributed sales teams: Downtime can threaten deals.
  • On-site training and technical support: Downtime interrupts services, which can hurt relationships and reputations.
  • Work-from-home employees: These might not be high-profile users, but downtime brings productivity to a halt—a cost magnified across the growing work-from-home workforce in most organizations.

Maximizing remote productivity starts with protecting remote user data
Businesses clearly recognize the huge potential in empowering remote workers and mobile productivity. That’s why they’re spending time and money on enabling secure, remote access to digital assets. But too many forget about the other end of the spectrum: collecting and protecting the digital assets that remote workers are creating in real-time—files and data that haven’t made it back to the office yet. As productivity moves further away from the traditional perimeter, organizations can’t let that data slip out of view and beyond backup coverage.

Get six critical tips to empower your mobile users
Read the new white paper and see how endpoint visibility provides a powerful foundation for enabling and supporting anytime-anywhere users.

New CSA Report Offers Observations, Recommendations on Connected Vehicle Security

May 25, 2017 | Leave a Comment

By John Yeoh, Research Director/Americas, Cloud Security Alliance

Connected Vehicles are in the news for introducing new features and capabilities to the modern automobile. Headlines also highlight security hacks that compromise vehicle operations and usability. While sources note that the vulnerabilities identified so far have been addressed, a greater understanding is needed on how tomorrow’s Connected Vehicle will operate in an environment composed of both legacy and modernized traffic infrastructure. The Connected Vehicle will be designed to communicate with countless other devices and interfaces. Security systems, tools, and guidance are needed to aid in protecting vehicles and the supporting infrastructure.

Through research and development within the CSA Internet of Things Working Group and the United States Department of Transportation Federal Highway Administration, CSA is introducing “Observations and Recommendations on Connected Vehicle Security” to keep consumers and manufacturers up to date on the evolution of vehicle connectivity, areas of concern, and recommendations for securing the connected vehicle environment. The paper will provide a “big picture” view of the various aspects of vehicles and infrastructure components to better understand their interrelationships, dependencies and threats to the traffic ecosystem.

Learn about:
  • Connected Vehicle reference architectures and messaging protocols
  • V2V, V2I, V2X interactions
  • Potential System-of-System attacks and outcomes
  • Cross collaboration of IoT devices and systems
  • Vehicle design, platform, and infrastructure security best practices

The CSA Internet of Things Working Group continually evaluates and conducts research on new technologies involving cloud and the Internet of Things. CSA collaborates with other industry organizations to bring the latest guidance and security best practices to IT and enterprise.

A Management System for the Cloud – Why Your Organization Should Consider ISO 27018

May 22, 2017 | Leave a Comment

By Alex Hsiung, Senior Associate, Schellman & Co.

Cloud computing technologies have revolutionized the way organizations manage and store their information.  Where companies used to house and maintain their own data, a host of organizations have now made the switch to a cloud-based model due to the ease of use and cost-saving benefits promised by the cloud.

But what is a cloud without a little rain?  The benefits of cloud technologies have not come without their costs.

Within the world of cloud computing, there have been three persistent concerns:

  1. Security
  2. Security
  3. Security

A quick search for the pitfalls and concerns organizations face with cloud computing yields a recurring motif.  Every company looking to incorporate a cloud-based service has to weigh the benefits that a cloud environment affords against the risks associated with entrusting an organization with its sensitive data.  This data tends to include personally identifiable information (henceforth referred to as PII), which is generally the most scrutinized category of data and is subject to some of the strictest legal and regulatory requirements.

Customers of cloud service providers want to rest assured that the PII they have entrusted a cloud service provider with is maintained and held to at least the same level of security standards that they would have placed if the data had remained within their control.  For some organizations, the stakes are even higher as this is mandated by certain legal and regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) for electronic personal health information and the Graham-Leach-Bliley Act (GLBA) for sensitive financial information.

Many cloud service providers maintain that they are ignorant to the data ingested on behalf of their customers.  However, in the event of a security breach involving either personal health information or sensitive financial data, significant fines and reputational damage can be incurred by the cloud service provider if appropriate security and privacy measures are not in place.  This is where an effective information security management system, with specific control considerations tailored to cloud security and privacy surrounding PII, can prove invaluable to a cloud service provider.

You may have questions regarding what an information security management system is.  To define an information security management system, it may be easier to first understand what it is not.  An information security management system is not referring to an actual “system”, “application”, or “tool” that performs information security functions.

A broader definition is as follows: an information security management system represents the organization’s holistic approach to addressing information security concerns.  This includes top management’s buy-in to addressing these risks which can be demonstrated in its actions by performing the following:

  • Fostering a top-down approach to information security that encourages personnel throughout the organization to be aware of information security best practices
  • Performing risk assessments that are tailored to its organization’s unique threats and vulnerabilities
  • Proactively searching for issues and concerns through the use and selection of internal auditors
  • Monitoring and measuring the performance and effectiveness of the information security management system
  • Establishing a commitment to continually improving the information security management system
  • Ensuring that security controls are implemented and applicable to its organization’s goals and purpose

The standard most commonly used to demonstrate an organization’s effective implementation of an information security management system is the ISO 27001 standard.  The ISO 27001 standard serves as a baseline framework which virtually all service providers, cloud-based or otherwise, can work toward implementing.  It is worth noting that ISO 27001 provides a multitude of benefits to organizations that implement an effective information security management system, but two are perhaps the most pertinent and deserve to be mentioned:

  • An effective information security management system demonstrates to prospective and current customers that the service organization means business about protecting the data that it is entrusted with and responsible for.
  • An effective information security management system assists organizations with establishing a forward-thinking, proactive approach to addressing information security concerns as opposed to enabling a backward-looking mindset which is generally fostered by audit culture, which typically focuses on historical information.

The above-mentioned points may be enough for any service organization to consider implementing an information security management system.  The reputational benefit that an organization can enjoy by demonstrating to its customers that it takes its handling of information seriously is difficult to measure.  The cost-savings that an organization can enjoy by implementing effective response procedures in the event of a security incident are also incalculable – just ask United Airlines.  Sure, maybe that was a different kind of incident, but the age-old adage remains: failing to prepare is preparing to fail – this is the essence of ISO.

However, the buck does not stop at ISO 27001, especially for cloud service providers who by virtue of their trade must take information security more seriously.  This is where organizations can implement, in addition to the requirements held forth by the ISO 27001 standard, a slew of measures to increase the security and privacy measures in place when handling sensitive data, such as PII.  This standard is referred to as ISO 27018, which can be achieved in tandem with an effective information security management system in accordance with the ISO 27001 standard.

ISO 27018, otherwise referred to as ISO/IEC 27018:2014, builds upon an organization’s information security management system by establishing a group of privacy-based controls that are dedicated to protecting PII in public clouds that act as PII processors, with an emphasis on protecting PII in the cloud.  ISO 27018 provides a new subset of controls dedicated to the protection of sensitive personal data.

A high-level overview of some of the ISO 27018 requirements are included below:

  • Providing cloud customers with the ability to access, correct, and erase their own PII
  • Ensuring that data is processed according to its intended purpose and not taken out of context
  • Procedures for the deletion of temporary files
  • Implementing defined disclosure procedures
  • Providing open, transparent notice in the event that sub-contractors are utilized
  • Encouraging accountability on behalf of the cloud service provider through the implementation of breach notification procedures
  • More stringent information security requirements on the part of the cloud service provider

Hopefully after considering the above, it is more clear that implementing an information security system aligned with ISO 27001 is tremendous for a service organization, but for cloud service providers hoping to assuage any security and privacy concerns for their customers, aligning these controls with ISO 27018 may be the organization’s best option.

As the technologies around us evolve, so do their underlying threats and vulnerabilities.  An effective information security management system affords an organization a proactive, forward-thinking approach to information security.  This is all the more important given that cloud computing technologies have been plagued with security and privacy concerns since their inception; the risks will only continue to increase.

If you represent a cloud service provider, it may be time to consider how your organization can benefit from the implementation of an information security management system that aligns its 27001 controls with the ISO 27018 objectives.

For more information on ISO 27018, you can view our webinar on-demand: Privacy in the Cloud – an introduction to ISO 27018

Ransomware 101

May 19, 2017 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Unless you’ve been living under a rock for the last few weeks, you know that there has been a notable increase in cyberattacks around the world. Hackers have been spreading a type of ransomware called “WannaCry” via emails that trick recipients to open attachments that make them vulnerable to the attack.

Since Friday, over 150 countries have been affected by WannaCry, with the largest impact being on the NHS in England and Scotland. The attack hit over 16 organizations, crippling hospitals and general practices, forcing them to shut down and turn away patients.

What you need to know about ransomware
Once your system is infected, ransomware will encrypt your files, rendering them useless without a key. The guilty hackers will then demand some form of payment (typically via bitcoins) for the return of the hostage information.

Ransomware’s effects are not limited to the files on a device – they can also affect the device as a whole. Hackers can put locks on user profiles that make it impossible for individuals to log into their devices without paying a ransom. Similarly, they may alter a computer’s startup process so that it cannot finish unless a ransom is paid.

What you need to do to protect against ransomware
Companies must ensure adequate employee training to protect from ransomware. For example, employees must be able to identify phishing attempts and illegitimate emails. Additionally, users must be sure to keep their systems, software, and applications up to date. Finally, regular backups of data are a necessity.

In addition to the above, organizations must embrace technological solutions that can protect against ransomware. While traditional, signature-based solutions can detect previously identified threats, advanced solutions that utilize capabilities like machine learning must be adopted to protect against unknown threats.

As hackers become more sophisticated, companies must use a multi-pronged approach to prevent the spread of ransomware.

CTRL-Z and the Changing Data Landscape

May 18, 2017 | Leave a Comment

By Mark Wojtasiak, Director of Product Marketing, Code42

The massive “WannaCry” ransomware attack that appeared in Europe last week and spread to over 150 countries is a perfect illustration of why enterprise data storage is in a period of flux. Today, organizations can choose to keep their data in the cloud, on-premise, or across both in a hybrid deployment. This variety of choice is great – it caters to pretty much every type of organization and allows IT decision makers to see where sensitive corporate information is at all times—right?

Wrong.

In 2017, 50 percent of all corporate data is actually held locally, at the endpoint, on employee devices. This is according to 800 IT decision makers (ITDMs) and 400 business decision makers (BDMs) surveyed as part of our brand new CTRL-Z Study, a pan-global report looking into the data practices of some of the world’s largest organizations and most senior stakeholders—including the C-suite—across the U.S., U.K., and Germany. The endpoint is also where 78 percent of ransomware attacks begin, and WannaCry has reportedly spread to over 100,000 organizations so far.

When ‘benefits’ outweigh the risks
The serious security implications and risks to productivity that this shift in data repositories represents are well understood at the top of the organization, with 65 percent of CIOs and 63 percent of CEOs stating that losing all the data held at the endpoint would destroy their business. But, in reality, awareness of the risk is doing little to dissuade poor security practices.

Three quarters (75 percent) of CEOs and more than half (52 percent) of business decision makers admit that they use applications/programs that are not approved by their IT department. The vast majority (80 percent) of CEOs and 65 percent of BDMs also say they use these unauthorized solutions to ensure productivity. This is despite 91 percent of CEOs and 83 percent of BDMs acknowledging that their behaviors could be considered a security risk to their organization.

So, to put it bluntly, there’s behavior at the top of numerous enterprises that favors productivity and getting the job done over data security, and CEOs and key BDMs realize this. Therefore, especially in light of coordinated global cyberattacks, the big question is: “Where does the enterprise go from here?”

Recovery is the key to data security
Productivity is undoubtedly the key to business success. At the same time, it is integral to business continuity to protect data and to be able to rapidly recover from a breach or to undo a ransomware infection. Around 50 percent of respondents to the CTRL-Z study admitted that their organization had suffered a data breach in the last 18 months. As evidenced by these numbers, the days of a ‘prevention only’ approach to security is not sufficient. Tried and tested recovery must now be at the core of enterprise data protection strategy—to get employees back up and running quickly should a breach occur. After all, the biggest cost of a ransomware attack isn’t the ransom payment—it’s the lost productivity that can result from not having the right backup and restore solution in place.

When it comes to security, there are three pillars to ensure success. First, organizations must be able to spot risk sooner. Gaining visibility over where data is, how it moves, who accesses it and when could act as an early warning system to alert ITDMs to both insider and external threats. Second, the enterprise as a whole always needs to be able to bounce back. When a data incident occurs, internal teams and the backup solutions in place need to be tested and ready to face the challenge. Finally, if the organization is to remain competitive, it needs to recover quickly. Time is money, and in the modern enterprise, so is data. Whatever goes wrong, whether that be a company-wide breach or an insider leaking a single file, IT professionals need to be able to identify the where, when and who of the situation immediately if they hope to mitigate the risk.

Now is definitely the time for change, and the enterprises that want to remain competitive are starting to act. As many organizations around the world have learned in recent days, it’s not if you will be hit by a cyberattack, but when.

 

Malware: Painting a Picture

May 17, 2017 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Part One
Now more than ever, companies are flocking to the cloud. Through a variety of software as a service (SaaS) and infrastructure as a service (IaaS), enterprises are able to raise their efficiency, increase their flexibility, and decrease costs. However, pursuing these benefits does come with some risk. In particular, malware and ransomware have transformed from issues on endpoints to systematic threats to organizations’ suites of cloud apps.

While it may be tempting to run from the cloud (and the threats hiding in its billows), the fact remains that it is a staple of modern business – it’s here to stay. So, enterprises must take steps to understand malware and safely capture the benefits of the cloud. This process is similar to composing a painting in that there are many items to consider when trying to complete a picture of the ideal future. Each piece of secure cloud migration corresponds with one aspect of painting – see how in this two-part blog series.

The Saboteur: Types of Malware
Malware can be thought of as a sly saboteur waiting for an opportunity to throw paint at your canvas and ruin your design.

Malware can be divided into a number of smaller classifications. For example, horror stories often revolve around worms, spyware, trojan horses, ransomware, and many other types of Malware. Despite this lengthy list, two overarching categories are of primary importance. When evaluating malware, one must think in terms of known threats and unknown threats. While a known threat is a common piece of malware that has been seen in the past, an unknown threat (or zero-day threat) is malware that is relatively new and has not yet been identified. Zero-day malware is a particular risk because it is harder to detect – there can be months of damage, theft, and infection before it’s noticed. They each present different challenges and must be addressed in unique ways – as will be discussed in Part Two.