In 2020, organizations fast-tracked digital transformation initiatives and cloud migrations to provide remote capabilities to employees, customers, and overall processes hampered by the pandemic. It’s safe to say many of these prioritized decisions were put forth by organizations that didn’t perform a proper threat analysis or weren’t aware of the potential risks they were introducing to their company. As a New Year’s resolution, it’s imperative for all 2020 digital transformation initiatives to be revisited and course corrected. This includes double-checking any rushed decisions by performing proper risk assessments, reassessing interconnected cloud applications, reexamining access controls to third party applications, and tightening up outstanding misconfigurations and patches.
Perform a proper risk assessment
All Chief Information Security Officers and cybersecurity leaders should perform a full risk assessment before introducing any new processes or changes to existing processes. Still, with the urgency of speedy digital initiatives caused by the pandemic, it’s understandable that time was not of the essence. In 2021, organizations should take a step back and revisit changes with a proper risk assessment. This assessment should identify all critical changed systems that access sensitive data, recognize any potential threats created by the change, and determine the inherent risk and overall impact. Once the risk assessment is performed, security teams should partner with IT and other stakeholders to inspect the environment and put the proper threat prevention, detection and mitigation solutions in place.
Reassess interconnected cloud applications
The most popular digital transformation initiative of 2020 was the rush to the cloud. Cloud migrations and SaaS adoption skyrocketed during the pandemic, with companies relying on the flexibility of cloud-based platforms and tools to increase productivity regardless of an employee’s location. In the first quarter of 2020 alone, PwC reported that cloud spending rose 37% to $29 billion and predicts this trend to persist.
New interconnected cloud apps added hastily during the onset of the pandemic should be reassessed in 2021 as companies may have lost visibility into the risk of their interconnected systems and application environments. One misconfigured system or security vulnerability can put the entire enterprise at risk. Organizations need to reevaluate which applications support critical business processes and how they interconnect with each other. As remote workforces become a long-term reality, these seemingly minor mishaps could jeopardize the integrity of the organization, so gaining control and understanding of configurations is critical.
Reexamine third party-applications
A vital question organizations should reexamine in 2021 is “Which third-party applications have access to sensitive data?” Authorization and access control are some of the basic building blocks of risk management and internal controls for a business, but third-parties can introduce a potential threat to companies’ customer data, financial information and operations by having access to privileged systems. In fact, according to a Gartner survey more than half of respondents are concerned about third-party cybersecurity risk since the onset of the pandemic.
Emerging best practices to streamline how enterprise security leaders can mitigate third-party risks include reviewing third-party compliance activities such as privacy and security training plans and updating contracts to include clauses intended to mitigate cybersecurity & data privacy risks. Organizations can also streamline third-party due diligence by identifying and prioritizing critical third parties and helping them manage risk throughout.
Fix outstanding misconfigurations & prioritize patches
Misconfiguration mistakes continue to be the root cause of the majority of data breaches. It’s reasonable to accept that, in 2020, while security and IT teams were spread thin, misconfigurations likely occurred, and patches may have been missed. In 2021, there should be an urgency for developers and IT teams alike to revisit new custom code and fix any misconfigurations while cross checking published patches to ensure they’ve been resolved. Organizations should always establish and follow patch management procedures to safeguard their enterprises from cyberattacks, placing priority on security patches is critical for protecting devices and data. Thankfully, the recent 2020 Verizon Data Breach Report found that less than 5% of breaches involved exploitation of a vulnerability which suggests that most companies are doing a good job at patching.
If security is prioritized, the rushed digital transformation initiatives from last year present a positive outlook for the technology industry. As a resolution in 2021, organizations should take a step back and ask, “did we do this correctly?” and “is everything managed properly?” These initiatives usually take longer to deploy, so it’s fair to assume that the rushed digital transformation decisions may not have been made at the right pace, or with the right preparation. Performing a proper analysis of the threat landscape, reassessing interconnected cloud applications that access data, checking in on third-party applications accessed by partners and customers, while also double checking any misconfiguration mistakes, will help ensure sound security within all areas of the enterprise in 2021 and beyond.