Cloud adoption has exploded as organizations seeks operational benefits, such as efficiency and cost reduction. Gartner forecasts that worldwide public cloud spending will reach nearly $500 billion this year. Once organizations have migrated to the cloud, however, their cyber journey isn’t complete.
Security is a shared responsibility between users and cloud providers. Duty of care dictates that organizations need to think about how their data is secured — this extrapolates to how cloud-hosted applications are secured, as well as underlying infrastructure like corporate networks.
Unfortunately, security incidents leading to sensitive data exposure occur often, such as insecure AWS S3 buckets or exposed APIs. Security practitioners have a lot to consider when it comes to cloud access, such as controlling which accounts should be granted access, what their authentication methods are, and monitoring their usage.
Many organizations aren’t doing this well. Too many have an immature security posture and are using spreadsheets to manage accounts and passwords. Users get their credentials provisioned manually by sending an email to someone in IT or security, which opens the organization up to tremendous risk in an area that has proven to be costly.
Three of the top four most expensive attack vectors relate to credentials, according to IBM’s Cost of a Data Breach Report 2022, including phishing ($4.91 million per breach), business email compromise ($4.89 million per breach), and stolen or compromised credentials ($4.5 million per breach), which is the most frequent vector hackers leverage.
Organizations need to up the ante with their security posture. Spreadsheets were never a secure way of managing credentials, and hardening the security posture of that sensitive data doesn’t need to be overly complex or break the bank. Here’s how to get started.
Reassess organizational culture
Humans have a knack for rationalizing, particularly when it comes to security that introduces friction to their ability to gain access to something. They don’t assess risk properly — too many people will repurpose a Netflix password for corporate use because it has a few random numbers in it, not knowing it is on a compromised password list.
This is where policy starts butting heads with philosophy. People may be the best part of an organization, but they’re also the weak link when it comes to cybersecurity. According to the World Economic Forum, 95% of cybersecurity issues can be traced back to human error. This also affects how organizations budget their resources and investments.
Business leaders need to take a balanced approach when it comes to facing these challenges and dispersing budget. It’s easy to turn a blind eye toward security and focus on investing in new capabilities that can increase revenue, but ignoring security increases cyber risk over time. By allocating budget to achieve a sufficient level of protection, business leaders can create a competitive advantage over other organizations and become more resilient.
Qualify for and acquire insurance coverage
Obtaining cyber insurance coverage can increase business resilience and harden organizational security posture. In many sectors, it’s simply too risky to do business without having coverage. But it isn’t as easy as simply filling out a form.
Insurers are starting to limit their risk and have increased premiums by 74% in 2021, according to Fitch Ratings. In order to qualify for coverage, many organizations need to prove they have adequate endpoint detection and response (EDR) and multi-factor authentication (MFA) for network access. According to Beazley, organizations that haven’t implemented MFA are more than twice as likely to suffer a ransomware attack than those that do. Privileged access management (PAM) controls are also highlighted by cyber insurance carriers as beneficial in gaining coverage. A basic password manager is table stakes for PAM controls — a step up from a spreadsheet with sensitive information in it just waiting to be hacked.
Essentially, cyber insurers have become primary drivers for the adoption of modern security tools. The auxiliary benefit of adding those controls is that organizations can qualify for insurance coverage in case the worst does happen.
Recognize how the cloud is different
Traditional security measures are all about the bubble that is an organization’s on-premises network. The focus used to be on securely getting inside the bubble, and then everything was fair game. Employees were trusted and access was broad. In the cloud, the bubble is much harder to establish and the stakes are raised for which identities should be trusted to gain access to which resources.
Cloud migration changes organizational cyber environments and potentially increases cyber risk. This is why tools like MFA and thorough PAM controls are important — it’s essential to know where passwords are and how users are getting access.
What was acceptable for securing an on-premises corporate network just a few years ago won’t cut it in the cloud today. Cybersecurity professionals need to consider everything from account details to authentication methods and look at security through the lens of zero trust to make sure cybersecurity teams are granting access without putting their organizations in danger.
Moving to the cloud is an exciting chapter for any organization, but cyber leaders need to make sure they have the proper controls in place so security can keep pace with the speed of business innovation.