As you look to build your threat and vulnerability management program, here are RedLegg’s considered top security risks.
1. Data Theft by Third-Party Vendors
According to LogicMonitor Cloud Vision 2020, 83% of company workloads will be in the cloud by 2020. This means you may be entrusting much of your valued data to third party providers.
Many of these providers use open source components in building their cloud… according to a 2019 study by SNYK, there has been an 88% growth in vulnerabilities in these open source components. Further complicating matters, many of these cloud companies lack the skill set to secure their environment appropriately, leading to breaches.
Advisory Consulting can help with migration strategies from traditional on-premise to Hybrid or full cloud strategies. In addition, vendor management strategies would be another area that a consultant can help. By partnering with other vendors, leverage there can help increase visibility strategies. Walking through what your cloud footprint looks like, if you have a strong migration strategy in place, if you have a strong vendor management strategy in place, or if you are comfortable with your visibility into your data hosted on third parties is a great starting point for discussion.
2. Loss of Data Due to Shadow IT
Shadow IT is the practice of non-IT people leveraging IT tools to perform tasks, without the knowledge or consent of the IT or Security groups. A common example is using Google Drive or Dropbox to store or transfer files. Data can be lost this way (it is not backed up necessarily) and also usually means that the data is at the mercy of that user’s password which could further increase the risk.
Data Loss Prevention solutions are helpful for minimizing risk. Data discovery and classification can also be of value to companies in helping to identify data you may not know existed or was being synced with a cloud drive.
3. Poor Security Policies
Security policies help create a guiding blueprint in how to handle security within an organization. It may be easy to throw in a product to secure the environment, but without the policy framework in place, numerous gaps and inconsistencies may exist. Adopting strong policies (i.e. two factor authentication requirements for remote access, No Shadow IT) can help reduce those risks.
If you find you have few or no policies, a Virtual CISO may be helpful. If you have some policies but are unsure of their effectiveness or breadth, then a policy review or gap assessment may be the way to go.
4. Insider Threats to Data Theft
25% of known data breaches had a social engineering component. More than 20% of employees in a survey admitted to stealing sensitive data from companies. Humans are the weak link in the security chain, and protections to help enforce rules against stealing data are important.
You can look at UEBA tools to help identify users acting outside of your normal baseline. You can also consider Insider Threat Tools.
Microsegmentation can help identify some users accessing data that aren’t supposed to or, at a minimum, alerting to it. Another way is pen testing: test some of these detection technologies to see if they are working properly.
5. Business Email Compromise
Business email compromise is still a serious issue and one that companies need to watch out for. Controlling someone’s email can lead to phishing scams or whaling scams, and it can also give plenty of information about the company itself.
Tools like Email Security can help prevent BEC, strong policies are another useful item provided through advisory services, and a pen test can judge how much risk the organization faces from this type of attack. Conducting a phishing test is another way to determine the levels of risk and help users build their security awareness. Finally, multi-factor authentication can help prevent compromise from weak passwords.
6. Skilled Worker Shortage
53% of companies see problematic shortages of security workers. What do companies do when there is a shortage of skilled security workers? Turn to virtual CISOs, Managed Services, training and other ideas. Read this intriguing article by Symantec on the security worker shortage and consider sharing it amongst your security staff.
7. It Only Takes One Phish
Phishing tests are critical to teaching users Security Awareness. However, with a failure rate of 40-50%, companies forget that in a real test… it only takes one.
Penetration testing can help to simulate a breach while phishing education may help mitigate the chances of employees clicking, EDR and SIEM to detect intruders, and tools like Email Security to help sandbox bad links.
Learn how you can strengthen your company's security posture with RedLegg solutions and advisory services.