5 Steps to Implement Vulnerability Management into your Business
Discover how you can implement vulnerability management into your business with our useful guide.
While there are still those who are unaware of the risks that come with outdated cybersecurity tools and practices, the majority of businesses have gotten used to the necessity of having comprehensive visibility across all cloud apps. Keeping an eye on cloud apps and discovering them is essential for various reasons. Several companies have gained insight into ‘shadow IT’, enabling them to integrate unsanctioned apps into their corporate framework or help users find other options. Most importantly, it is a vital first step in addressing the security challenge.
As the saying goes, you can’t secure what you don’t know, and you have to start somewhere to have any chance of success. As data protection laws evolve and the consequences of not complying with them increase, identifying cloud use and mitigating the risks is increasingly important.
Typically, in CensorNet’s experience working with organisations yet to embark upon the discovery/visibility process, a Chief Information Officer’s starting estimate will be perhaps 30 to 40 cloud apps in use by employees.
CensorNet says, “Less than a hundred, anyway,” is a fairly standard response. In reality, most companies use at least 1,000 cloud-based apps across their business, and that’s when the magnitude of the problem becomes apparent.
It may seem unbelievable that 1,000 apps could qualify as fully-functioning cloud services, but consider how low the bar is. Every interaction an employee has with the company’s website through their browser, sharing or attaching information that could end up outside of your IT department’s control, is considered a security risk.
That’s the problem; too much visibility and too little control. Like having a crystal-clear windshield and dashboard in your car, with no means of changing speed or direction! Cloud application security is still in its infancy in many European organisations.
The issue of weak cloud app security reached a turning point in 2017 when accidental online leaks and misconfigured services and portals overtook hacking as the top cause of exposed data records.
Risk Based Security reports that an astonishing 69% of exposed data records (5.4 billion in total) occurred because nobody had a firm handle on them, rather than due to malicious attacks.
Although administrators continue to misconfigure high-profile services like Amazon S3, many storage buckets are repeatedly misconfigured, exposing sensitive data at scale.
It is becoming harder to resolve this issue as IT departments worldwide struggle to cope with skill gaps in cyber security, evidenced by the increasing trend of higher IT job vacancies than applicants.
However, even the most accomplished security professionals sometimes don’t have all the answers. After all, they’re up against cloud services’ highly dynamic, elastic nature and rapidly changing employee usage habits.
If you were to examine your list of 1,000 or so cloud apps, you’d find that some will present as ‘riskier’ than others. Or, in technical terms, at the most significant risk of data exfiltration. Invariably, these include any file-sharing platform, such as cloud storage, team-working, and messaging apps. With these metrics, you’d also have to highlight your cloud CRM system as among the highest risk of all.
Identifying and blocking these once and for all would be easy enough to mitigate the associated risks. But there’s a friendlier approach to business. Imagine kissing goodbye to your OneDrive, Dropbox, Google Suite, Slack, WhatsApp, and Skype for Business once and for all — let alone something like Salesforce!
Visibility and discovery are no longer enough, and it’s time to reclaim control. And the good news is that cloud application security can be simple. To cope with the shift from static websites of the past to the ever-increasing interactivity we get today, traditional web security approaches must be updated to a logical new state. By simply establishing visibility, we provide valuable intelligence that a control function can use. However, doing so successfully rests on what your definition of success is. Do you want to eradicate all risks, whatever the cost, or securely optimise productivity?
In the latter case, organisations would be better served by applying risk levels to the app’s many hundreds of possible actions rather than assigning risk to the entire application. By understanding these factors, individual users are restricted to specific functions based on their roles and needs. For example, only some people need to edit or download files. Often, users are satisfied with viewing content. Considering the unique risk framework developed for the organisation, we ensure that cloud apps’ manifest value is maximised most appropriately for a given user.
To put it simply, then: visibility and control aren’t about tidying up a tiny aspect of your cyber security concerns; they target the root cause of exposed data records, which underpins data protection governance and compliance.
To find out how we can help you with your cloud security challenges, don’t hesitate to get in touch with our friendly team of experts today. Or, for more strategic cybersecurity advice for your business, keep up to date with the ITRM blog.
Discover how you can implement vulnerability management into your business with our useful guide.
In this blog, explore the current cyber threat landscape, why charitable organisations are at risk and how to protect your charity/not-for-profit so you can continue your mission...
By clicking “Accept all cookies”, you agree ITRM can store cookies on your device and disclose information in accordance with our Cookie Policy.
When you visit any of our websites, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and manage your preferences. Please note, blocking some types of cookies may impact your experience of the site and the services we are able to offer.