CISO to CISO: 3 Practical Tips to Protect Your Data in the Cloud
Written by Marc Blackmer, ShardSecure.
The explosion of remote work over the last two years has driven the rapid adoption of cloud services and, with that, a rise in threats and risk to enterprise data. Now that we know a hybrid work model is here to stay, organizations need to better understand what they can do to protect their data.
I recently had the opportunity to speak with Bryan Littlefair, former CISO Vodafone and of Aviva and CEO of Cambridge Cyber Advisers, to get his insights and recommendations for boards and C-level executives. We covered a lot of ground in our 30-minute discussion, including:
- Strategies for maintaining data confidentiality, integrity, and availability in the cloud.
- Ransomware, supply chain threats, and the geopolitical climate.
- The increasing complexities of data residency and data sovereignty with respect to compliance and best practices for data governance.
- The age of ‘crypto malware,’ its devastating effects, and how organizations can mitigate its impact.
Following are three key take aways from the discussion. For all the details, I encourage you to watch the session, “Controlling data in the cloud: Managing compliance, risk and data resilience.”
1. Ransomware, cryptocurrency, the unintended consequences of cyber insurance and how to strengthen protection
One of the digital pandemics we are facing right now is ransomware. Between the current political situation and cryptocurrency as the only currency not sanctioned, the unprecedented rise in email attacks during COVID, and coverage of ransom payments by cyber insurance companies, we are facing a perfect storm situation. Companies that operate in countries that support Ukraine are at higher risk of cyberattacks. Internet-based attacks like NotPetya don’t respect geographical boundaries and show us how easy it is to become collateral damage. And threat actors actively target companies with cyber insurance because they are more likely to pay.
Bryan suggests a few steps every organization can take to mitigate the risk of ransomware attacks:
- Help employees become your strongest asset—don’t think of them as your weakest link. Aim to get 10% of your security experts’ knowledge into 100% of your employees because regardless of which email filtering solution you use, even if you layer several defenses, there is a very well fueled industry looking at how to circumvent security tools. So, risk will materialize in people’s inboxes.
- On the technology side, make sure you’ve identified and mitigated your vulnerabilities, so you aren’t leaving the backdoor open. Services like Shodan, which is essentially a search engine for finding Internet-connected devices, may be abused to catalog your systems, operating systems, etc., by those conducting reconnaissance against your organization. Shodan is also great tool to help you be proactive in protecting those connected devices.
- Don’t overlook your supply chain. Malicious actors will take the path of least resistance. If your organization has a robust security posture, attackers won’t waste time and resources to for a direct attack. Rather, they will look upstream in your supply chain to find a weak link. Make sure all teams—risk, security, legal, third-party assurance, and procurement—work hand in glove and holistically to understand risk and drive mitigation forward.
2. 10,000 employees = 10,000 home offices that need to be protected.
As employees shifted to working from home during COVID, remotely accessing bandwidth-hungry applications that are on-premises in data centers created a choke point for data. We’ve seen a rapid adoption of cloud services to counteract this, but we haven’t seen a similar investment in security technology for those cloud environments. This gap suggests we may be building cloud environments that aren’t as secure as they could be because we’re moving so fast.
Now, employees are demanding to work from home at least part of the week. CISOs and their teams should step back and make sure they can securely support a hybrid work model for the long term. Bryan points out that the time is right to focus attention and resources to understand where any weakness lies and make sure deployments are as secure as possible. Red teaming or purple teaming is a great way to test your environment, take the learnings, embed improvements, and repeat. It’s always best to kick your own tires before someone kicks them for you. Also, make sure you understand how your cloud service provider manages data backups and maintains data integrity and availability from a security and privacy perspective.
3. Compliance implications of working in a distributed environment.
Companies are doing business around the world amidst a patchwork of more than a hundred competing privacy regulations and national security laws. Given his years of experience serving as the CISO of large, multinational organizations, Bryan knows the pitfalls of complex, fragmented data privacy programs and has learned that the secret to success is to simplify. All data strategies typically have overlap or commonalities around data access policies, proactive preventative measures, response activities, and data backup. Bryan suggests finding the most stringent regulation and applying the same approach globally. When you standardize at the highest tier, you know you will always be compliant across the lower tiers. Legal teams will still have to provide attestation, but from a security perspective, your life will be simplified. You’ll have confidence that you are satisfying all local requirements and can just keep abreast of policy changes.
The world of the CISO was turned upside down during COVID due to cloud adoption, and the challenges keep coming. However, it is never too late to start taking control of your data by proactively putting a cohesive strategy in place that reduces your risk and improves your security capability over time. Watch the session now for more insights and recommendations.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.