Will organizations ever reach a point where they feel confident about their security and the ability to defend against threats and breaches?
I hope the answer is yes, someday our security systems will be ahead of the game, but that day isn’t today. A new study from McAfee found that even though there have been improvements, security professionals admit the struggle to fully secure the organization is real.
The study, “Grand Theft Data II – The Drivers and Shifting State of Data Breaches,” focused on data breaches globally. Respondents were asked about the serious data breaches they experienced, looking for specific details about how the breach occurred and what was done to prevent them or what could have been done. Nearly two-thirds said their organization has been hit with a major data breach, which I don’t think is too surprising in this culture. The bigger concern is that the breaches themselves are becoming more serious or damaging. Cybercriminals aren’t just after the personally identifiable information (PII) of consumers and employees, nor are they looking only for passwords or Social Security numbers or banking information. These days, cybercriminals are going after intellectual property.
“Threats have evolved and will continue to become even more sophisticated,” Candace Worley, vice president and chief technical strategist at McAfee, said in a formal statement.
Vectors for Exfiltrating Data
The report calls out the top three methods of exfiltrating data as database leaks, cloud applications and removable USB drives. However, the cloud doesn’t appear to be driving more breaches at the moment, but applications are a growing concern, with IT security professionals most worried about leaks from Microsoft OneDrive, Cisco WebEx and Salesforce.com. So I asked Worley whether it is surprising that applications are the security problem as opposed to the cloud.
“Although the report does not specify cloud generally, it does focus on cloud applications,” Worley said. “This is because applications are where the lion’s share of the data resides, and data is what most adversaries are after.”
Yet, it is cloud security that many focus on—I hear all the time that folks are worried about the security of the cloud as opposed to the security of the actual application. So, I asked Worley if we are missing something about application security that we should pay closer attention to.
“To some extent they are one in the same,” she said. “Applications have vulnerabilities that are exploitable much like operating systems do. Where the apps reside doesn’t change that. Cloud applications are equally susceptible to exploits when they have unknown or unpatched software vulnerabilities.”
As DevOps moves more workloads to the cloud, she added, it will be necessary to pay attention to the security settings of the cloud instances they use and be aware of the security associated with the underlying infrastructure. But ultimately, accountability for the security of data—and in some cloud approaches—resides with the company moving the data and applications to a cloud provider’s environment.
“Understanding the security of the cloud you choose and the applications that you use in the cloud are a critical part of securely navigating digital transformation,” she said. “The loss of data is also what is most often subject to regulatory oversight, which means whether the data is in on-prem apps or cloud apps, there is significant reason for concern.”
Security Buy-In From Everyone
The people factor plays a huge role in data breaches, both in preventing them and in their occurrence. The study found that there is a “Do as I say, not as I do” attitude prevalent in organizations, with more than 60% of C-level executives expecting more lenient policies for themselves, and IT security pros think that adds to the organization’s risk of a breach. (Is it coincidence, then, that the number of respondents reporting data breaches is identical to the number who say their C-suite don’t think they need to follow the same best practices as the rest of the company?)
“Organizations need to augment security measures by implementing a culture of security and emphasizing that all employees are part of an organization’s security posture, not just the IT team,” Worley said in the formal statement. “To stay ahead of threats, it is critical companies provide a holistic approach to improving security process by not only utilizing an integrated security solution but also practicing good security hygiene.”
Protecting against data breaches is a struggle, no doubt about that, but the more security pros understand about the problem areas, the more they can do to address them.