Followers of the term “shadow IT,” which typically refers to SaaS applications not provided by IT, could hardly have expected the issue to appear in CNN headlines, much less in the US presidential debate. Hillary Clinton’s private email took the award for most famous instance of shadow IT and perfectly illustrates the causes and risks behind the phenomenon.
Clinton used her private email rather than her government-provided account out of convenience. In doing so, she circumvented the State Department’s security controls, outsourcing the security of sensitive data to her third-party provider. While there are many enterprise-ready cloud service providers capable of securing sensitive data from attackers, non-technical employees are not always educated on how to choose a low-risk service.
Consumer cloud applications are particularly attractive as alternatives to corporate solutions because they are typically free and easy to use. This appeal baited CIA Director John Brennan to use his AOL email account for sensitive government information contained in his background check documents. The recently revealed breach of this data from an amateur hacker lends immediacy to the information security concerns of cloud applications IT is not aware of. While many mocked the choice of AOL, a service so antiquated itself that one shudders to imagine the corporate solution, every employee can relate to using a preferred alternative to a clunky corporate solution. The so-called consumerization of IT lights a fire under enterprise IT departments to proactively offer user-friendly SaaS work tools to employees, or risk being left behind.
— Andrew Kalat (@Lerg) October 20, 2015
The other half of this story is the technique used to access Brennan’s account. Rather than defeat AOL’s security, the attacker relied on social engineering, a popular technique that relies on strategic manipulation of human elements in the security supply chain. In this case, the attacker tricked Verizon representatives into revealing personal information necessary for resetting Brennan’s AOL password. Facebook CSO Alex Stamos pokes fun at this revelation to highlight the fact that although companies typically blame “advanced persistent threats” for security breaches, the actual failures often come down to simple, low-tech maneuvers.
I'm sure it was advanced, persistent asking him nicely what his password is. https://t.co/VVSAEdHz67
— Alex Stamos (@alexstamos) October 19, 2015
The immediate solution for a vulnerability in the class of Brennan’s email breach is to set and enforce policies governing the sprawl of sensitive data in the cloud. In the long run, the best results in reducing high-risk cloud usage can actually come from employee education. Even employees who work with sensitive data may not be aware of the security risks of using consumer cloud services for work. Coaching end users turns your employees into security allies rather than liabilities. Similarly, educating employees on common social engineering attacks, also known as phishing attempts, can help prevent malicious access to the company network or cloud service accounts. Joffrey Goumet of Mielabelo reminds us it’s never too late to go back to security basics.
10 tips for spotting a phishing email https://t.co/lQxAY1qUpK
— Joffrey Goumet (@JGoumet) October 20, 2015
After nearly every breach, the public raises the issue of accountability. Business leaders have proven they’re not immune from the chopping block. Dave Ockwell-Jenner of SITA points out that CEOs are now ultimately responsible for data breaches.
— Dave Ockwell-Jenner (@DaveOJ) October 20, 2015
This trend echoes the realities of information security on two fronts. First, an effective information security program requires the buy-in of the CEO – not only for budgeting, but also to enforce organization-wide programs like the security education mentioned above. Second, boards are now recognizing that the largest costs of data breaches are reputational damages rather than legal settlements or remediation costs. Sujeet Bambawale of NetApp makes the point that security is more than a necessary check box: it’s a competitive differentiator. 61 percent of customers will abandon a company if it suffers a known breach, and this implicit value for information security is what has caught the Board of Directors’ attention. CISOs can expect to benefit from increased budgets and more visibility at the board level. Don’t expect this trend to falter anytime soon, with blockbuster cases like Brennan’s email keeping the iron hot.
Security drives trust drives competitive advantage. #6wordcyber
— Sujeet Bambawale (@Sujeet) October 20, 2015
Cloud Security Report for Executives and the Board
Based on real presentations CIOs and CISOs have delivered to their executive team and board of directors, this essential template provides an outline of how to present your cloud usage and security.Download Now