A +
EDITOR’S QUESTION
/////////////////
RAY POMPON,
PRINCIPAL THREAT
RESEARCH
EVANGELIST, F5
NETWORKS
T
he 2019 F5 Labs Application Protection report revealed
that 14% of all breaches were directly attributable to
employee accidents and a further 20% were lost to employee
negligence related to storage of confidential data in email. That
doesn’t consider the additional 22% of 2019 breaches resulting
from employees being duped by phishing. In other words, billions
of personal records were put at risk by ‘inadvertent insiders’. It is a
prickly problem and one that is only going to get worse as multi-
cloud deployment scenarios become operational prerequisites.
Alarmingly, F5 Labs noted over 27 major leaks in cloud and cloud
databases in the past three years directly caused by misconfiguration
of access controls. Nearly half of those happened in 2019. As more
organisations race to the cloud, more accidents are occurring.
Considering how easy cloud systems are to use, it’s no surprise.
It doesn’t take much engineering skill for someone to populate a
cloud database, secure or not, and get started on the new gold rush.
Gartner has predicted that, ‘through 2025, 99% of cloud security
failures will be the customer’s fault’.
When it comes to better tracking employees
to reduce insider threats, organisations
need to consider both the malicious
and accidental insider. Most companies
provide access to corporate data (internal
apps, email) through staff-owned devices,
yet aside from setting basic screen lock
requirements, few actually control the data
that goes onto these devices. Corporate and
personal data is now everywhere – spread
across internal applications and the multi-
cloud. Organisations need to ensure that,
beyond simply tracking devices, they have
proper data governance in place and that
they enforce consistent security policies
regardless of where the app and data reside.
Businesses also need to realise that policy,
more than technology, will be key to success.
Organisations must understand the entire
www.intelligentcio.com
data lifecycle for all of their apps: who owns the data, who has
access, how it is retrieved and how is it deleted.
Phishing will remain one of the most common and most successful
forms of accidental insider breaches and cyberattacks for the
foreseeable future, and that’s simply because it doesn’t inherently
rely on a weakness in technology. Phishing and spear-phishing
attacks continue to evolve and are no longer
crude and easy to spot.
“
ORGANISATIONS
NEED TO ENSURE
THAT, BEYOND
SIMPLY TRACKING
DEVICES,
THEY HAVE
PROPER DATA
GOVERNANCE IN
PLACE.
Organised cybercrime groups and
nation-states expend significant effort to
understand their victims and take advantage
of social engineering techniques. Education
is critical and can reduce the success of
phishing attacks by a third, but technology
needs to support us. There must be a move
away from password-based authentication
schemes and until we reach that point, multi-
factor should be used absolutely everywhere.
Ultimately, business leaders need to improve
at leading by example and supporting
continually evolving awareness-raising
programmes. They also need to ensure
existing defence postures are rigorously
interrogated and enhanced to cope with ever-
expanding attack surfaces and increasingly
ingenious cybercriminal activity. n
INTELLIGENTCIO
35