Cloud Security Myth #3: The best security keeps threat actors from getting in.

It would be nice to think that your systems are secure. Most organizations focus their security strategy on trying to keep anyone from getting into their systems. The reality is that threats are everywhere. They come from inside the perimeter of your own systems in the form of human error and they come from outside the perimeter in the form of hackers and third-party systems. Sensitive data moves across data silos within the enterprise but also across hybrid and multi-clouds. So, good security not only fortifies the entry points, it ensures that a data breach reveals nothing useful. It protects the data itself. Let’s take a look at some recent data breaches to understand why that is so important.

Accidents happen 34% of data lost in 1^st half of 2018 through breaches were caused by accidental loss. That means that, “oops”, someone left data exposed and open to breach. In November 2018, The Oklahoma Department of Securities was found to be housing millions of FBI investigation records on an unsecured rsync server for an uncertain amount of time. Data included personal data, systems credentials and internal communication records. This data was simply left unprotected. Despite 8 years of IT Infrastructure consolidation by the OMES agency, ODS had not yet consolidated their systems.

Third-parties increase your risk What about third-parties who have access to your data? Password management company, Blur, announced early this year that they exposed a file with 2.4 million names, password hints and encrypted passwords on an unprotected server. Later in January, another astounding breach was announced. More than 24 million financial and banking documents were exposed for a two-week period on an open server by Ascension, a data analytics company serving the Finance industry. Vital personal information such as names, addresses, dates of birth, Social Security numbers, and financial information were exposed. Ascension converts paper documents into computer readable files (OCR) and the server housing 10 years of documents is the one which was exposed – without a password.

And if your email is outsourced… A common way in to an organization’s data is through email. Just announced last week, Health Alliance Plan lost control of 120,000 patients’ medical information when Wolverine Solutions Group, the third party who manages their email, succumbed to a ransomware attack.

The unwelcome email intruder Email provides so many ways to potentially access your sensitive data. Several 2019 data breaches are due to third-party access to employee email. Approximately 326,000 patients’ data was potentially exposed at UConn Health this way – including names, dates of birth and Social Security numbers.

Hook, line and sinker – phishing Malicious outsiders are responsible for 68% of data breaches and phishing still gets powerful results. 5 major reported incidents already this year, with BenefitMall leading the pack with almost 112k consumers impacted with vital information including name, data of birth, bank account, and Social Security number. Several employees responded to a phishing attack over four months before the hack was discovered.

The invisible breach System breaches can and do go unnoticed. AdventHealth and Marriott International know something about that. AdventHealth’s systems were breached and undetected for 16 months. Marriott’s systems were compromised for four years.

It’s simply not enough anymore to protect your systems. Human error is inevitable. Your employees will make mistakes. Malicious outsiders will continue to find new ways to trick them into opening the door into your systems.  Third party vendors you work with may not have the same stringent security solutions you do. And the data you are storing in a third-party cloud is your responsibility to protect.

Isn’t it time you looked at data security differently? Protegrity recommends a Data First Security approach.  Our clients feel safer knowing wherever their data goes, it is de-personalized and therefore of no value if and when a data breach occurs. You can find out more about Protegrity’s approach to data security on our blog.

Stay tuned for Blog 4 in our Fact vs Myth Cloud series. We will address Myth # 4: You only need security on your transactional systems.  We’ll talk about the importance of data security in your analytical systems and dispel the myth that security will slow down your ability to get insights.