Intelligent CIO Europe Issue 25 - Page 35

A + EDITOR’S QUESTION ///////////////// RAY POMPON, PRINCIPAL THREAT RESEARCH EVANGELIST, F5 NETWORKS T he 2019 F5 Labs Application Protection report revealed that 14% of all breaches were directly attributable to employee accidents and a further 20% were lost to employee negligence related to storage of confidential data in email. That doesn’t consider the additional 22% of 2019 breaches resulting from employees being duped by phishing. In other words, billions of personal records were put at risk by ‘inadvertent insiders’. It is a prickly problem and one that is only going to get worse as multi- cloud deployment scenarios become operational prerequisites. Alarmingly, F5 Labs noted over 27 major leaks in cloud and cloud databases in the past three years directly caused by misconfiguration of access controls. Nearly half of those happened in 2019. As more organisations race to the cloud, more accidents are occurring. Considering how easy cloud systems are to use, it’s no surprise. It doesn’t take much engineering skill for someone to populate a cloud database, secure or not, and get started on the new gold rush. Gartner has predicted that, ‘through 2025, 99% of cloud security failures will be the customer’s fault’. When it comes to better tracking employees to reduce insider threats, organisations need to consider both the malicious and accidental insider. Most companies provide access to corporate data (internal apps, email) through staff-owned devices, yet aside from setting basic screen lock requirements, few actually control the data that goes onto these devices. Corporate and personal data is now everywhere – spread across internal applications and the multi- cloud. Organisations need to ensure that, beyond simply tracking devices, they have proper data governance in place and that they enforce consistent security policies regardless of where the app and data reside. Businesses also need to realise that policy, more than technology, will be key to success. Organisations must understand the entire data lifecycle for all of their apps: who owns the data, who has access, how it is retrieved and how is it deleted. Phishing will remain one of the most common and most successful forms of accidental insider breaches and cyberattacks for the foreseeable future, and that’s simply because it doesn’t inherently rely on a weakness in technology. Phishing and spear-phishing attacks continue to evolve and are no longer crude and easy to spot. “ ORGANISATIONS NEED TO ENSURE THAT, BEYOND SIMPLY TRACKING DEVICES, THEY HAVE PROPER DATA GOVERNANCE IN PLACE. Organised cybercrime groups and nation-states expend significant effort to understand their victims and take advantage of social engineering techniques. Education is critical and can reduce the success of phishing attacks by a third, but technology needs to support us. There must be a move away from password-based authentication schemes and until we reach that point, multi- factor should be used absolutely everywhere. Ultimately, business leaders need to improve at leading by example and supporting continually evolving awareness-raising programmes. They also need to ensure existing defence postures are rigorously interrogated and enhanced to cope with ever- expanding attack surfaces and increasingly ingenious cybercriminal activity. n INTELLIGENTCIO 35