October 15, 2019
By Dan Seyer
Security is no longer a concern just for IT and CISOs. October is National Cybersecurity Awareness Month and a reminder that today's complex technology and compliance environments require every single internal employee and external vendor to understand and implement security measures into workflows.
Cyber attackers extend their reach beyond members of the Security team. Rogue actors planning insider attacks on payroll don't tend to send memos declaring their intentions. Marketers routinely work with PII data and transmit it to clients, often with little regard to the subtleties of Security, Compliance and IT rules. Regulators are not going to excuse non-compliant data retentions that were saved by someone outside of IT.
Such is the inevitable outcome of a shared data model, where employees and contractors across every business unit have access to a wide range of corporate-sensitive data, ranging from network credentials and identification badge formats to small details such as when a specific employee typically arrives at work or the name of the new administrative assistant in payroll.
Add the cloud and an ever-expanding list of mobile devices into the mix, along with Shadow IT cloud purchases, and there are lots of new places for corporate-sensitive data to hide, away from the eyes of IT, Security or Compliance. Let's drill into a few of these.
Internet Of Things (IoT)
Today's IoT devices are being purchased and used by departments far away from IT, Security and Compliance. Consider IoT lightbulbs being purchased by Maintenance or IoT door locks bought by Facilities. Or Supply Chain's efforts to track pallets as they sail across an ocean with IoT trackers attached. Or the manager of the corporate car fleet who is leveraging IoT to track the speed and location of every vehicle at every moment. Every one of these devices is prone to attack. And many IoT devices have insufficient security configurations.
Identity and cyber thieves—and sometimes cyberterrorists—love social engineering, where they call employees and contractors and try to trick them into revealing sensitive data. When the efforts work, the data can be used on its own, such as when capturing network passwords. But it's more typically used to boost the credibility of the social engineering attack for the next round.
The nature of social engineering is that it is aimed at employees in every corner of the company. Employees can be trained to not be tricked, but the big "security is everyone's job" point here is that employees must immediately report any social engineering attacks to Security or IT. That’s not always done. If an attack is successful, the employee may be embarrassed and perhaps worried about being fired. If an attack is unsuccessful, they may not see a need to report it. "Can you please tell me when Jane Doe typically gets in?" "Sorry, I can't share that information." The attacker hangs up and the employee takes no action.
But alerting Security to the details of that call would allow them to send an all-personnel alert, saying something like, "Someone has been calling random employees to try and identify when our people report for work. This may be a social engineering attack. Obviously, do not share this information, but please report any further attempts to Security.” Such a memo might thwart an attack attempt before it can do any damage. If the first Security hears about an attack is after it’s been successful, it’s already too late.
DevSecOps is a situation where a security person is either embedded into a development team or a development team member gets trained to act as the eyes and ears of Security. Either way, it forces developers to code with security in mind.
This facilitates the creation of more secure code. But for DevSecOps to work, every coder/programmer—including the managers of all developer groups—must cooperate. That means running all ideas by the security representative and, critically, trying to do what the security representative suggests. If suggestions are ignored, the resulting code may have security vulnerabilities.
Workgroups may secure their own platforms (typically via a cloud provider that they retain, outside of corporate processes) to do sensitive client work. This is often done with the knowledge of the LOB manager, or without any mention to IT or Security. In these “off the reservation” scenarios, backup systems, data retention policies and compliance issues may be ignored.
Shadow IT employees are simply trying to get their work done and don't feel like waiting for IT to get to their requests. Given how overworked and understaffed most Fortune 500 IT departments are, the frustration here is understandable. But this is also precisely how security, compliance and IT problems get created. The rules are there for a reason and Shadow IT efforts will eventually cause problems for the enterprise.
Similar to Shadow IT, the mobile problem arises when employees place sensitive corporate data on their personal mobile devices and transmit it to clients and contractors and other employees—again, with no regard to backup, data retention, compliance or any other security concerns.
Whether it's privacy rules from Canada, the EU's GDPR or the newly-amended California Consumer Privacy Act, new regulations about how sensitive data are handled are constantly expanding.
GDPR, for example, makes IP addresses personally identifiable data (PII). It means the data that Marketing and E-Commerce/Online capture about web traffic to the company site might have their own retention requirements. Is a marketing analyst downloading last week's online traffic activity reports to crunch this weekend? And will it migrate from a corporate cloud—via VPN—to a home laptop? And maybe from there, find its way to a non-corporate backup server at a consumer service such as Carbonite? It’s easy to see how that chain of events could result in data leaks and cause major security problems.
Outside of IT, Security and Compliance, employees today are not trained to look at data from a security or compliance perspective. If your company does not implement across the board data security training, it will most likely result in serious cyber attacks and unpleasant scrutiny by regulators.