Enterprises are rapidly moving larger and larger quantities of corporate data to the cloud. Companies around the globe realize the advantages cloud has versus traditional computing. The most evident benefits are exemplified through increased collaboration among employees. The proof is in the pudding: companies using the cloud grow 19.3% faster than their counterparts. But, understandably, the cloud brings different security challenges than traditional on-premises and PC solutions. Security in the cloud should be addressed with the same diligence as on-premises software, but our research shows that few companies consider themselves to have mature cloud security programs.
For example, insider threat has always existed. In the early days, there may have felt like there were physical barriers to stealing corporate data, but with cloud applications the same damage can happen with just a few clicks. Insider threat can be both accidental and malicious. The average organization experiences 9.3 potential insider threat incidents each month, and 89.6% of organizations experience at least one per month on average. One of the most dangerous types of insider threats come from privileged users. This phenomenon occurs monthly at 55.6% of organizations with the average company experiencing 2.8 potential privileged user incidents each month. And now new research finding that 20% of office workers would sell their corporate passwords provides validation to CISOs who have considered this threat top of mind.
— Myrna Soto (@Myrna_Soto) March 25, 2016
— Richard Rushing (@SecRich) March 21, 2016
While insider threat certainly sounds devious and can lead to significant security breaches, it’s just as important to address low hanging fruit. Basics like security education can help stop insider threat in the form of negligence. 15.8% of files in the cloud contain sensitive data, but employees may not know about security best practices on how to access and share this data, including with partners outside the organization. People are the most unreliable element of a company’s information security “infrastructure”, more often due to error rather than maliciousness. With that in mind, security teams need to influence and steer the employees towards exercising good security etiquette. A little coaching can prevent accidental breaches such as oversharing in the cloud.
So much being made about "the insider threat!" And so little around "excel at the basics" 🙁 https://t.co/vKuQcsgjbV
— Alex Hutton (@alexhutton) March 24, 2016
Implementing a training program and the tools that go along with it is not an easy task. For companies embarking on information security projects, there is no substitute for a chief information security officer. Surprisingly, less than 50% of organizations currently have a CISO.
— Dan Lohrmann (@govcso) March 26, 2016
The job description of a CISO is never stagnant. The position develops and changes at the same pace as the cybersecurity landscape. Generally speaking, a CISO’s responsibilities include overseeing regulatory compliance, setting security policies, and taking responsibility for data privacy. Bringing in a new C-level executive raises questions of metrics and organizational structure. There is a healthy debate around who the CISO should report to. The tide seems to be turning in favor of the opinion that to be truly effective, the CISO should have the same visibility to the CEO and the board as other executives in the C-suite.
If your CISO isn't on equal footing with the other executives in your company, why bestow the CxO level title? Seems to create friction…
— Bruce Potter (@gdead) March 21, 2016
Waiting until you are breached to hire a CISO can be an expensive mistake. Not only do security threats multiply every day, but breaches are getting more expensive. The average cost of a data breach is estimated at $3.8 million, a 23% increase since 2013. Target ended up with a $252 million bill. Needless to say, they hired their first CISO in 2014, after their blockbuster data breach.
— Richard Starnes, MSc (@rrstarnes) March 24, 2016