These security missteps represent common low-hanging fruit attackers seek to infect companies with ransomware and other costly exploits.
Before the pandemic, cloud adoption was already expanding rapidly, and it accelerated even faster once companies had to make urgent changes to their business operations. For example, the Flexera 2021 State of the Cloud Report found that 61% of companies made slightly higher-than-planned cloud investments and 29% made significantly higher-than-planned cloud investments in 2020. However, besides the overnight changes in how companies work, another area witnessed explosive growth: cyberattacks. According to a research study by Deep Instinct, ransomware attacks increased 435% in 2020 compared with 2019, and malware increased 358% during the same period. Additionally, the average ransomware payout has grown to nearly $234,000 per event, according to cybersecurity firm Coveware.
Cybercriminals still prefer low hanging fruit
One might assume that the increase in security incidents and breaches results from the bad guys using highly sophisticated social engineering strategies and zero-day malware to breach victims’ networks. However, that’s typically not the case. For example, recall the high-profile Colonial Pipeline cyberattack earlier this year, which shut down a top U.S. pipeline for several days and resulted in a $5 million ransom payout. An audit of the breach revealed that the attackers exploited a legacy VPN. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network. This incident, which was the largest cyberattack ever on a U.S. oil infrastructure, is a reminder of two important principles. First, simple security mistakes can result in severe consequences. The second fact is that cybercriminals prefer low-hanging fruit. Unfortunately, as companies continue shifting infrastructure and apps to the cloud and enabling employees to work remotely, these kinds of mistakes are proliferating. Here are the top five common cybersecurity mistakes companies make that put them at higher risk for security incidents and breaches:
Mistake #1: Thinking the cloud provider has sole security responsibility.
We’re all familiar with the process of updating software. Somewhere in the process, there’s a list of terms and conditions you must agree to before proceeding to the next step. Rather than scrolling through several pages of legal text, most people skip to the end and press “Accept.” Buried within the text, however, is an explanation of the cloud providers’ security responsibilities vs. the user’s responsibilities. The model most commonly used by cloud providers is a “shared responsibility” model, where users shoulder the majority of the “share.”
According to a Barracuda Networks poll of several hundred EMEA IT leaders, most respondents believe that their public infrastructure-as-a-service (IaaS) provider was responsible for securing customer data in the public cloud (64 percent of respondents), securing applications (61 percent), and operating systems (60 percent). However, these security functions are the customer’s responsibility, not the cloud provider’s.
In addition to these misunderstandings, more companies use cloud platforms from multiple providers, making it even more challenging to ensure compliance with security policies. And internal IT or security staff rarely have the resources to stay on top of these issues.
That means more vulnerabilities and, potentially, costly security breaches. As a result, companies that want to leverage the public cloud to accelerate their business initiatives need to educate themselves about their responsibilities around security and invest in the right tools and technology to protect their employees, customers and data.
Mistake #2: Not implementing the cloud provider’s native security controls.
In the same way that on-prem IT equipment must be configured to protect the network, cloud services must be configured, also. How prevalent is this problem? According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault, citing misconfigurations and mismanagement as the top reasons. Infrastructure as a service (IaaS) providers such as Amazon, Microsoft, and Google take care of security for their physical data centers and the virtual machines’ server hardware. However, the customer is in charge of protecting its virtual machines and applications. Cloud providers offer security services and tools to secure customer workloads, but the administrator must implement the necessary defenses.
Another example that falls into this category is multifactor authentication (MFA), which every cloud provider offers. When it’s turned on, users have to take one extra step to gain access to their apps after entering their username and password, such as entering a one-time password sent to their phone or using a fingerprint reader attached to their computer. This simple step can make a massive difference because the unfortunate reality is that 61% of people reuse passwords across both work and personal accounts. Often, a single data breach (typically on a site that may have nothing to do with your organization) ends up exposing an attack vector everywhere those same credentials are being used. Therefore, organizations must have an additional layer of security in place, such as MFA, particularly for mission-critical systems that, if compromised, could cause significant damage.
Mistake #3: Forgetting the basics
The Colonial Pipeline breach mentioned earlier falls into this category—practicing good security hygiene. With all the rapid changes caused by the pandemic, it’s easy to understand how a company could overlook a VPN account that’s no longer in use. The best way to combat these challenges is by implementing and following security policies and procedures. The good news is that there are already excellent frameworks and guidelines companies can follow, such as:
- NIST (National Institute of Standards and Technology) Cybersecurity Framework—voluntary guidance, based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk.
- CIS (Center for Internet Security) Critical Security Controls—globally recognized best practices for securing IT systems and data.
It’s important to note that NIST and CIS are complementary to one another. For example, NIST provides the high-level cybersecurity “framework,” and CIS includes more granular “how-to” steps that companies should add to their security framework.
Mistake #4: Failing to restrict access permissions
Most companies have policies and procedures establishing user access privileges and requiring users to refresh their passwords periodically. But, if these procedures aren’t orchestrated and automated, they can never be adequately enforced. That’s why identity and access management (IAM) is a must. An IAM solution allows IT administrators to manage users’ digital identities and access privileges securely and effectively. With IAM, administrators can set up and modify user roles, track and report user activity, and enforce corporate and regulatory compliance policies to protect data security and privacy.
Companies that use cloud and hybrid environments also need to use another IAM solution, known as cloud infrastructure entitlement management (CIEM), to manage entitlements. More than half of an enterprise’s cloud entitlements are granted to applications, machines and service accounts; users and roles are only a small part of the problem. Why do applications and machines need entitlements? Because servers and IoT devices all connect to applications and databases, constantly exchanging information. Applications also connect to other applications, such as a database in Google Cloud Platform connecting to Salesforce or Microsoft 365. As a result, entitlements must be precisely allocated to ensure that data cannot be shared inappropriately and to limit unnecessary access.
CIEM is a software solution that implements the principle of least privilege in cloud environments, thereby limiting user’s, apps’, devices’ and machines’ access to resources on an as-needed basis. A case in point where CIEM could have prevented a data breach was with Capital One. A threat actor was able to gain access to the financial institution’s customer database in the AWS cloud via a misconfigured firewall. Because the company had no entitlement restrictions in place, the criminal was able to easily access and steal the sensitive information after getting past the firewall.
Mistake #5: Not cross-training teams
While it’s vital to have security experts within your company, it’s also essential to remember that preventing security incidents is everyone’s responsibility. It doesn’t help matters when there’s friction between developers and the cybersecurity team. The development teams face constant pressure to deliver results. On the flip side, the cybersecurity team is under pressure to ensure systems are released securely, constantly worried about the company appearing in the media for the wrong reasons. Companies that try to alleviate this friction by allowing the teams to work in silos where one doesn’t interact with the other are making a serious error. Security teams need to understand the developers’ goals and everything they’re doing with the cloud. Additionally, developers need training from the security team to ensure they’re following proper security protocols and not exposing their company to any unnecessary risks.
While it’s true that cybersecurity incidents are on the rise, that doesn’t mean breaches and data leaks are inevitable for every business. Besides avoiding the mistakes outlined above, companies should implement continuous security monitoring (CSM) for their cloud services. CSM is a highly beneficial approach to threat detection. The constant monitoring of a security environment allows security specialists to remediate issues that could be exploited in a cyber-attack immediately. Hence, CSM is often used and is strongly encouraged in risk management processes as a pre-emptive measure.