News &
Information

Ask Jack: Can An Image Deliver Malware?

Is it possible to deliver malware through an image? Jack provides the answer.

Ask Jack: What Is The Real Risk For Small- And Medium-Sized Businesses After A Cyber Attack?

Jack McCalmon, Esq. details the mindset small- and medium-sized employers should have when addressing cyber breach risk, and the end results of a breach.

Ask Jack: If I Purchase Macs, Do I Really Lower My Cyber Exposure?

An employer asks Jack McCalmon, Esq. if macOS will lower cyber exposures.

Emotet Malware Makes A Comeback: What is It And What Prevention Steps Can Employers Take?

Cybersecurity experts notice a significant increase in cybercriminals are using this malware to attack networks. What can you do to help prevent it?

Shadow IT And Cloud Services Present Difficult Challenges For Employers

June 2, 2022

Before the pandemic forced thousands of employees to work from home and required employers to make network resources available to those remote workers, many employers were contemplating moving some of their data to cloud servers.

The reasons were clear: cloud-based services such as Amazon Web Services (AWS), Google Compute Platform, and Microsoft Azure offered agility and scalability, allowing organizations to quickly add new users and services as needed, not to mention the cost savings of a subscription versus maintaining their own physical infrastructure.

This rush to the cloud has resulted in several lapses in data security, including misconfiguration of the cloud services, a lack of understanding as to who is responsible for what, and simple poor internet hygiene.

According to the 2020 Cloud Threat Report from Oracle and KPMG, 51 percent of organizations reported that misconfigurations have led to compromise and exposure of sensitive data. This includes exposure of unencrypted data to the public internet without any required authentication; granting public access to storage buckets; improper creation of network functionality; allowing all system users access to exposed cloud-stored data; and storing encryption passwords and keys in open repositories, among other issues.

These issues point to the second problem. Knowing what the customer is responsible for and what the cloud service is responsible for continues to cause data exposure risks. For instance, both Amazon's infrastructure-as-a-service (IaaS) model and Microsoft's platform-as-a-service (PaaS) Azure model try to communicate the principle that they take care of the basics while the customer takes care of what is under their control. Thus, while AWS will ensure that S3buckets can only be accessed consistent with the policy governing their use, that policy is the customer's responsibility to set for the data stored there. Many customers have suffered data exposure because they failed to do their part to secure their data.

Finally, even if properly configured, data may be exposed due to poor password hygiene. According to Verizon's 2021 Data Breach Investigations Report, over 80 percent of data and privacy breaches are due to poor password practices. "Rethinking Cyber-Defense Strategies in the Public-Cloud Age" www.threatpost.com (Apr. 22, 2022).

Commentary

Employers should also be aware of “Shadow IT” issues.

This is a term used to describe unsanctioned IT resources – i.e., employees using a cloud application to do their work that was not provided by a legitimate provider.

It is a new twist to the old problem of employees using non-company-provided software to get their jobs done, innovate, and boost their productivity. Nevertheless, it represents a risk if IT does not know about it, cannot manage it, or secure it.

According to industry analyst firm Gartner, as many as one-third of successful attacks on enterprises target these untracked, invisible-to-IT resources. Thus, for example, as useful as two popular cloud services may be, such as Airtable – a cloud collaboration service that offers the features of a database but applied to a spreadsheet – and the grammar-checking service Grammarly, an employee’s innocent use of these cloud services to populate Airtable with customer data or spell check sensitive legal documents in Grammarly can share a lot of important data with external companies that IT does not even know about.

Policies should be developed to encourage employees to disclose what services they need, or are using, so IT can determine whether they are appropriate or a risk to the network.

Finally, your opinion is important to us. Please complete the opinion survey: