Although cloud vendors like Microsoft are generally responsible for protecting their infrastructures against attacks and even offer additional security services (e.g., the Microsoft 365 Security Center) to help customers with data protection, companies need their own controls as well.
Why? Many different types of cloud users put corporate data at risk, including IT teams, managers and contractors. But the 2019 Netwrix Cloud Data Security Report found that the biggest threat in the cloud comes from regular business users. In fact, 43 percent of organizations say their business users are responsible for cloud security incidents, which is 10 percent higher than a year ago. Therefore, to reduce the risk of incidents, organizations need to implement additional controls.
What exactly are the main risks associated with business users, and how can organizations mitigate those risks?
What makes organizations vulnerable?
One of the main benefits of the cloud is that it enables business users to access data more easily, at any time and from nearly any location. Unfortunately, though, not all business users understand their data security responsibilities, and many organizations don’t provide cybersecurity training to help improve security awareness. As a result, users are likely to make mistakes that could result in security incidents. In fact, the 2019 Cloud Data Security Survey found that the most frequent cause of security incidents in the cloud was accidental mistakes — 45 percent of respondents had incidents due to errors, up 28 percent from a year ago.
Deep visibility into user behavior is a great practice that can help organizations mitigate the risk of data breaches caused by the human factor. However, 36 percent of organizations in the 2019 Cloud Data Security Survey couldn’t identify who was responsible for security incidents — a dramatic increase from just 6 percent in 2018. This shows that the level of insight into user activities around data in these organizations leaves much to be desired.
Another way to reduce insider risk is to use a data discovery and classification (DDC) tool to help you understand how much data you have, who has access to it and which information is most critical and requires protection. Unfortunately, the survey revealed that many organizations neglect this critical practice: among organizations where business users were involved in security incidents, 86 percent failed to classify all data they store in the cloud.
How do organizations plan to mitigate the risk?
To protect data in the cloud, organizations need to implement measures to keep employee activity under control. Some organizations are already planning steps: They are willing to invest in the education of current IT staff (37 percent), provide sufficient budget (36 percent), and require periodic status reports (31 percent). Still, nearly a quarter (23 percent) of IT teams say their management does nothing to support cloud security initiatives, which leaves them ill-prepared for the growing security risks in the cloud.
Based on proven field experience working with organizations to combat insider threats, the following three best practices are the most effective:
- Train your employees. Never underestimate the value of the human factor in cybersecurity. Regular awareness trainings and tests help ensure that your employees are familiar with basic security practices and won’t accidentally put your data and entire infrastructure at risk.
- Get actionable insight into your cloud. Since both user mistakes and cyber attacks are inevitable, you need to regularly audit your cloud environment to see who did what, when and where. But being able to review what happened in the past is only half the battle; you also need to be able to detect and respond to abnormal behavior before it results in a security incident. Moreover, having actionable visibility into your systems and data will enable you to investigate incidents properly to prevent similar issues in the future.
- Classify your data. Data classification technology can take you a long way — you will be able to understand what data exactly you have and increase your awareness of its value and sensitivity to implement adequate controls and secure this data properly. This will be a great instrument for mitigating the risk of inadvertent data leakage due to mistakes by business users. Data classification will also help you explain to your employees from different teams what data they have access to, is this data sensitive or not and what should they do to ensure its security.