The 12 Biggest Cloud Security Threats Facing Your Organization

The 12 Biggest Cloud Security Threats Facing Your Organization

New CSA Report Reveals the Top 12 Cloud Security Threats in 2018

Cloud computing has opened up a world of opportunities for businesses, but it has also resulted in new cyber security threats. Some of these mirror the threats organizations have been combating on premises for years, while others are unique to the cloud. What are the top cloud security threats organizations face in 2018? Recently, the Cloud Security Alliance (CSA) released its “Treacherous 12” report to answer this question.

The 12 Biggest Cloud Security Threats Facing Your Organization

In order of severity, the biggest cloud security threats identified by the respondents were:

  1. Data breaches – While data breaches are not unique to cloud computing, the cloud presents both the same avenues of attack faced on-premises, plus new vulnerabilities specific to cloud environments. The continuing epidemic of AWS breaches illustrates the ubiquity of this threat.
  2. Weak identity, credential, and access management – Weak passwords, not using multifactor authentication, a lack of scalable identity access management systems, and a lack of ongoing automated rotation of passwords, cryptographic keys, and certificates open the door to breaches and cyber attacks.
  3. Insecure APIs – Cloud providers expose a set of software user interfaces (UIs) or APIs for customers to manage and interact with cloud services. These APIs and UIs are generally the most exposed part of the system, and their security determines the security and availability of the cloud services. Adequate API and UI security is the first line of defense against hackers.
  4. System and application vulnerabilities – While buggy software is not new, the advent of multitenancy in the cloud – where systems from different customers are placed close to each other and given access to shared memory and resources – paves a new avenue of attack for hackers.
  5. Account hijacking – Again, this isn’t new or unique to the cloud, but stolen cloud credentials could allow hackers to wreak even more damage than on-premises credentials. Two-factor authentication and continuous monitoring can mitigate these types of cloud security threats.
  6. Malicious insiders – While security experts disagree on the specific extent of this threat, the fact that it exists is not up for debate. Insider threats, malicious or otherwise, were recently named the top threat facing healthcare cyber security.
  7. Advanced persistent threats (APTs) – APTs are parasitical cyberattacks that infiltrate systems to establish a foothold in the computing infrastructure, from which they smuggle data and intellectual property. Spear phishing, direct hacking, delivering attack code through USB devices, penetration through partner networks, and use of unsecured or third-party networks are common points of entry for APTs. APTs work stealthily and over extended periods of time, often adapting to the security measures intended to defend against them.
  8. Data loss – Data can be permanently lost due to a malicious attack, a natural disaster such as a fire or earthquake, or even accidental deletion. Business continuity and disaster recovery best practices are key to preventing data loss.
  9. Insufficient due diligence – Organizations that rush to adopt cloud technologies, choose a cloud service provider, or merge with or acquire another firm that uses cloud technologies without performing due diligence are risking a myriad of commercial, financial, technical, legal, and compliance problems.
  10. Abuse and nefarious use of cloud services – Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud enable cyber criminals to engage in DDoS attacks, email spam and phishing campaigns; crypto mining; large-scale automated click fraud; brute-force compute attacks of stolen credential databases; and hosting of malicious or pirated content.
  11. Denial of service (DoS) attacks – By forcing a cloud service to consume inordinate amounts of finite system resources, attackers can cause severe system slowdowns and prevent legitimate customers from accessing their services. In some cases, these attacks may be staged as a distraction to occupy security personnel while hackers attack another part of the system.
  12. Shared technology vulnerabilities – Cloud service providers deliver scalable services through shared infrastructure, platforms, or applications. This can lead to shared technology vulnerabilities; a single vulnerability or misconfiguration can result in the provider’s entire cloud being compromised.

Protecting Against Cloud Security Threats

Some organizations think that migrating to the cloud means that the responsibility for cyber security shifts to the cloud provider. However, in most cases, the cloud provider is responsible for security of the cloud, meaning the underlying infrastructure; the cloud customer is responsible for security in the cloud, meaning the data and applications they choose to store and run there.

Further, while there are many similarities between cloud and on-premises security, there are also many differences. If your in-house security staff is not well-versed in cloud security threats, it’s imperative to seek help from a reputable cyber security vendor who is.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Employees Are Biggest Threat to Healthcare Data Security

Two new reports illustrate the threat of employee carelessness and maliciousness to healthcare data security

Two new reports illustrate the threat of employee carelessness and maliciousness to healthcare data security

Healthcare data security is under attack from the inside. While insider threats – due to employee error, carelessness, or malicious intent – are a problem in every industry, they are a particular pox on healthcare data security. Two recent reports illustrate the gravity of the situation.

Two new reports illustrate the threat of employee carelessness and maliciousness to healthcare data security

Verizon’s 2018 Protected Health Information Data Breach Report, which examined 1,368 healthcare data security incidents in 27 countries (heavily weighted towards the U.S.), found that:

  • 58% of protected health information (PHI) security incidents involved internal actors, making healthcare the only industry where internal actors represent the biggest threat to their organizations.
  • About half of these incidents were due to error or carelessness; the other half were committed with malicious intent.
  • Financial gain was the biggest driver behind intentional misuse of PHI, accounting for 48% of incidents. Unauthorized snooping into the PHI of acquaintances, family members, or celebrities out of curiosity or for “fun” was second (31%).
  • Over 80% of the time, insiders who intentionally misused PHI didn’t “hack” anything; they simply used their existing credentials or physical access to hardware (such as access to a laptop containing PHI).
  • 21% of PHI security incidents involved lost or stolen laptops containing unencrypted data.
  • In addition to PHI breaches, ransomware continues to plague healthcare data security; 70% of incidents involving malicious code were ransomware attacks.

Meanwhile, a separate survey on healthcare data security conducted by Accenture found that nearly one in five healthcare employees would be willing to sell confidential patient data to a third party, and they would do so for as little as $500 to $1,000. Even worse, nearly one-quarter reported knowing “someone in their organization who has sold their credentials or access to an unauthorized outsider.”

Combating Insider Threats to Healthcare Data Security

Healthcare data security is especially tricky because numerous care providers require immediate and unrestricted access to patient information to do their jobs. Any hiccups along the way could result in a dead or maimed patient. However, there are proactive steps healthcare organizations can take to combat insider threats:

  • Establish written acceptable use policies clearly outlining who is allowed to access patient health data and when, and the consequences of accessing PHI without a legitimate reason.
  • Back up these policies with routine monitoring for unusual or unauthorized user behavior; always know who is accessing patient records.
  • Restrict system access as appropriate, and review user access levels on a regular basis.
  • Don’t forget to address the physical security of hardware, such as laptops.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

#MeToo Prompts Employers to Review their Anti-Harassment Policies

#MeToo Prompts Employers to Review their Anti-Harassment Policies.

Comprehensive anti-harassment policies are even more important in light of #MeToo movement

The #MeToo movement, which was birthed in the wake of sexual abuse allegations against Hollywood mogul Harvey Weinstein, has shined a spotlight on the epidemic of sexual harassment and discrimination in the U.S. According to a nationwide survey by Stop Street Harassment, a staggering 81% of women and 43% of men have experienced some form of sexual harassment or assault in their lifetimes, with 38% of women and 13% of men reporting that they have been harassed at their workplaces.

#MeToo Prompts Employers to Review their Anti-Harassment Policies

Because of the astounding success of #MeToo – the “Silence Breakers” were named Time magazine’s Person of the Year in 2017 – businesses are bracing for a significant uptick in sexual harassment complaints in 2018. Insurers that offer employment practices liability coverage are expecting #MeToo to result in more claims as well. Forbes reports that they are raising some organizations’ premiums and deductibles (particularly in industries where it’s common for high-paid men to supervise low-paid women), refusing to cover some companies at all, and insisting that all insured companies have updated, comprehensive anti-harassment policies and procedures in place.

In addition to legal liability and difficulty obtaining affordable insurance, sexual harassment claims can irrevocably damage an organization’s reputation and make it difficult to attract the best talent. Not to mention, doing everything you can to prevent a hostile work environment is simply the right thing to do. Every company with employees should have an anti-harassment policy in place, and it should be regularly reviewed and updated as the organization and the legal landscape evolve.

Tips for a Good Anti-Harassment Policy

While the exact details will vary from workplace to workplace, in general, an anti-harassment policy should be written in straightforward, easy-to-understand language and include the following:

  • Real-life examples of inappropriate conduct, including in-person, over the phone, and through texts and email.
  • Clearly defined potential penalties for violating the policy.
  • A clearly defined formal complaint process with multiple channels for employees to make reports.
  • A no-retaliation clause assuring employees that they will not be disciplined for complaining about harassment.

In addition to having a formal anti-harassment policy, organizations must demonstrate their commitment to a harassment-free workplace by providing their employees with regular anti-harassment training, creating a “culture of compliance” from the top down, and following up with victimized employees after a complaint has been made to inform them on the status of the investigation and ensure that they have not been retaliated against.

Continuum GRC proudly supports the values of the #MeToo movement. We feel that sexual harassment and discrimination have no place in the workplace. In support of #MeToo, we are offering organizations, free of charge, a custom anti-harassment policy software module powered by our award-winning IT Audit Machine GRC software. Click here to create your FREE Policy Machine account and get started. Your free ITAM module will automate the process and walk you through the creation of your customized anti-harassment policy, step by step. Then, ITAM will act as a centralized repository of your anti-harassment compliance information moving forward, so that you can easily review and adjust your policies and procedures as needed.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.