Teams across your enterprise are uploading, downloading and sharing in the cloud at this very moment. The finance team is accessing a shared spreadsheet, the creative team is sharing video files with a client, so what else could be going on inside just one cloud minute?
So much activity is taking place, but the vast majority is unchecked and out of control. Your CIO and IT department most likely have no idea of what data is being shared and subsequently no idea whether it is secure. Employees access thousands of applications and engage in cloud activities, providing vulnerable access points that threat actors can use to break into your network.
With GDPR on the horizon in 2018, it is imperative that CIOs and IT departments can prove they have a handle on the data they are responsible for. The volume of cloud activity within the enterprise is largely unchecked and out of control, meaning that cloud security is likely to be a major Achilles’ heel for compliance.
There are four main areas that CIOs and other leaders can look at to bolster the cloud security of their organisations in 2018.
Departments in the Cloud Security Firing Line
According to the latest Netskope cloud report, HR and marketing are using the most cloud services, with the departments actively using an average of 139 and 121 respectively. You would be right to be concerned to see HR in this leading position, as the department often leverages user-led applications that carry personally-identifiable information.
Marketing could also offer a bountiful target for threat actors to plunder, with many marketing apps falling into the shadow IT or unsanctioned categories and carrying valuable data. Finance and accounting are almost at the level of HR and marketing, operating an average of 63 services – 94% of which are not enterprise ready.
Not Enterprise Ready
The average enterprise use of 1,181 cloud services in December 2017 marks a sharp spike from the 1,022 average recorded in September 2017. Most shockingly of all, 93% of cloud services in use across all departments are not enterprise-ready.
To tackle this enlarging grey area and reach a point of compliance, CIOs must begin introducing contextual, activity-level policies. A cloud access security broker (CASB) can upgrade non-enterprise ready services by providing fine-grained control. CIOs must also drive education among employees and enforce the training they receive to enhance overall security.
In the fourth quarter of 2017, 54% of all data loss prevention violations were committed against cloud storage. Considering this, CIOs must be aware that the threat landscape is set to be bristling with attacks targeting the cloud in 2018.
The GDPR Tidal Wave
As the GDPR tidal wave races into view, enterprises are battening down the hatches and bracing for impact on deadline day in May. While leaders rally their organisations toward achieving compliance and facing the other challenges of 2018, cloud security may prove to be the undoing for many.
GDPR is at the forefront of business leadership thinking at present, especially for CIOs, and it turns out that cloud security is weak in several different ways. As a starting point, 68% of cloud services used across the Netskope customer base failed to specify that the customer owns the data and 81% of the services did not support encryption at rest.
In what remains of the run up to GDPR it is essential that CIOs set about tracking down all data, as any unturned stone could conceal a dangerous gap in compliance.
The Rise of Cryptocurrency-Related Malware
One attack type that is proving persistent and is expected to be continually relevant in 2018 is banking and cryptocurrency-related cloud malware. PowerShell malware has also been used continually and to great effect against organisations armed with endpoint AV solutions, with this protection proving unable to achieve effective scanning and remediation results.
Organisations must put multiple layers of threat protection into action. With numerous security checkpoints in place it becomes increasingly difficult for these attackers to be lost amongst the massive volumes of cloud traffic. Another effective tactical approach to create a choke-point to defend against these attacks is the application of policies on uploads and downloads of data to scan for malware.
The impact of cloud-focused attacks can also be severe. Netskope’s Threat Research Labs found that 81% of the cloud malware attacks traced were within the high severity bracket, with just 19% placed on the low end of the scale.
This year cloud security simply cannot be ignored, the threat landscape is bristling with danger and it must be remembered that GDPR will deliver swift punishment to those that leave the door open. CIOs can significantly reduce risk by following the Netskope guidance. Bring on board contextual, activity-level security policies, upgrade non-enterprise ready services by accessing a security broker and layer up on threat protection!