SaaS security in 2021

The migration toward subscription-based services via the SaaS business model isn’t new this year — it’s part of a larger shift away from on-premises datacenters, applications, etc., that has been underway for years. The pandemic accelerated the shift, boosting SaaS subscriptions as companies looked for virtual collaboration and meeting tools. What is new on a larger scale is the way employees interact with business applications, and that has implications for IT departments worldwide. As a … More

The post SaaS security in 2021 appeared first on Help Net Security.

78% of Microsoft 365 admins don’t activate MFA

On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView.

Microsoft 365 MFA

Microsoft 365 administrators fail to implement basic security like MFA

The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.

According to SANS, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely.

Microsoft 365 admins given excessive control

Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data.

In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.

Investing in productivity and operation apps without considering security implications

The data shows that US enterprises (on average, not collectively) utilize more than 1,100 different productivity and operations applications, which indicates a strong dedication to the growing needs of business across departments, locations, and time zones.

While increased access to productivity and operations apps helps fuel productivity, unsanctioned shadow IT apps have varying levels of security, while unsanctioned apps represent a significant security risk.

Shadow IT is ripe for attack and according to a Gartner prediction, this year, one-third of all successful attacks on enterprises will be against shadow IT resources.

Many orgs underestimate security and governance responsibilities

Many businesses underestimate the security and governance responsibilities they take on when migrating to Microsoft 365. IT leaders often assume that Microsoft 365 has built-in, fool-proof frameworks for critical IT-related decisions, such as data governance, securing business applications, and prioritizing IT investments and principles.

The research disprove this by revealing that many organizations struggle with fundamental governance and security tasks for their Microsoft 365 environment. Today’s remote and hybrid working environment requires IT leaders to be proactive in prioritizing security and data governance in Microsoft 365.

25% of IT workers don’t enforce security policies

14% of IT workers are consumed with Identity and Access Management (IAM), spending at least an hour per day on routine IAM tasks, according to 1Password.

enforce security policies

IAM continues to be a significant productivity bog for IT and employees alike, with 57% of IT workers resetting employee passwords up to five times per week, and 15% doing so at least 21 times per week.

Shadow IT issues

IAM is often used to detect shadow IT, and 1Password’s survey revealed that it’s largely successful. Four in five workers report always following their company’s IT policy, meaning that just 20% of workers are driving all shadow IT activity in the enterprise. These employees don’t act out of malice but rather a drive to get more done, with 49% citing productivity as their top reason for circumventing IT’s rules.

“The shadow IT picture is more complicated than many think,” said Jeff Shiner, CEO, 1Password. “Most of us follow the rules, but a small group of employees trying to get more done circumvent policies and create openings for credential attacks. They’re sometimes enabled by IT workers who empathize with their pursuit of productivity.”

Ignoring the IT policy

Employees who break their company’s IT policy tend to be:

  • Speed demons: They’re nearly twice as likely to say convenience is more important than security—and almost 50% more likely to say strict password requirements aren’t worth the hassle.
  • Pessimistic about IT capabilities: Employees who break IT policies are nearly twice as likely to say it’s unrealistic for companies to be aware of and manage all apps and devices used by employees at work, and say the IT department is more of a hindrance than a help.
  • Millennials and Gen Z: Nearly three times as many workers who are 18-39 say they do not always follow IT policies, compared to those ages 56 and up.

Lack of tools amid the relentless quest for productivity

IT workers cited lack of suitable technology resources and concern for employee effectiveness as the reason nearly one in three IT workers are not fully enforcing security policies.

Twenty-five percent of IT workers say they don’t enforce security policies universally and 4% don’t enforce those policies at all due to the hassle involved with managing policies to concerns over workforce productivity.

Thirty-eight percent of IT workers who do not strictly enforce security policies said their organization’s method for monitoring is not robust, while 29% agreed “it’s just too hard and time consuming to track and enforce” and 28% said “our employees get more done if we just let them manage their own software.”

One in three IT workers say that strict password requirements at work aren’t worth the hassle.

The usage of enterprise password managers

89% of IT departments using a password manager say it’s had a measurable impact on security at their company.

IT departments using EPMs report that they save time and frustration for employees (57%), reduce time for IT departments (45%), enhance productivity (37%), reduce breaches/attacks (26%) and create happier employees (26%).

Threat highlight: Analysis of 5+ million unmanaged, IoT, and IoMT devices

A new study incorporates analysis of anonymized data from more than 5 million unmanaged, IoT, and IoMT devices in Ordr customer deployments across a variety of verticals including healthcare, life sciences, retail and manufacturing, between June 2019 and June 2020.

unmanaged devices

Unmanaged devices

Researchers identified real-world risks across a diverse set of connected devices, reaffirming the need for a comprehensive approach to securing all devices, including discovery, classification, profiling of risks, and automated segmentation.

“In some of my recent research around enterprise IoT security I’ve found that more than 51 percent of IT teams are unaware of what types of devices are touching their network,” said Zeus Kerravala, Principal Analyst, ZK Research. “But perhaps what is more disconcerting is that the other 49 percent often times find themselves guessing or using a ‘Frankenstein’d’ solution to provide visibility into their network security, which almost always create security issues. Shadow IoT is becoming a real security challenge, as it’s not enough to have the visibility into what is touching your network, but you need a solution like Ordr’s that allows you to resolve the issues in a scalable automated fashion.”

Consumer-grade shadow IoT devices

Among the report’s most interesting findings were the frequent discovery of consumer-grade shadow IoT devices on the network such as Amazon Alexa and Echo devices. The most notable devices discovered on the network included a Tesla and Peloton. Similar to the early days of cloud adoption, where SaaS applications were deployed without IT’s knowledge, unknown and unauthorized IoT devices are now being deployed in the enterprise, introducing a new attack surface.

Researchers also discovered Facebook and YouTube applications running on MRI and CT machines, both of which often use legacy and unsupported operating systems like Windows XP. Using medical devices to surf the web puts an organization at a higher risk of falling victim to a ransomware and other malware attacks.

“We found a staggering number of vulnerabilities and risks concerning connected devices,” Greg Murphy, CEO, Ordr. “To truly realize the potential of IoT, security is paramount. As more IoT devices are deployed, security and risk decision makers need to not only gain visibility into what is connecting to their network, but also understand how it is behaving.”

Additional findings

  • 15-19 percent had IoT devices running on legacy operating systems Windows 7 (or older). Since it is often not economical to take these critical systems out of service, these devices need to be properly segmented.
  • 20 percent had PCI DSS violations where IoT devices with credit card information were on the same subnet or VLAN as a tablet, printer, copier, or video surveillance camera.
  • 86 percent of healthcare deployments had more than 10 FDA recalls against their medical IoT devices, which means the medical device is defective, poses a health risk, or both.
  • 95 percent of healthcare deployments had Amazon Alexa and Echo devices active in their environment alongside other hospital surveillance equipment. Voice assistants can unknowingly eavesdrop and record conversations and may put the organization at risk of a HIPAA violation.
  • 75 percent of healthcare deployments had VLAN violations where medical devices were connected to the same VLAN and subnet as other non-medical devices.

There are real risks and threats posed by IoT, IoMT, and other connected devices if not accounted for and properly managed. As many analysts predict, there is no sign of the slowing of adoption of IoT devices in the workplace, so security needs to be prioritized.

Ransomware attacks are increasing, do you have an emergency plan in place?

39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before, Ontrack reveals.

ransomware emergency plan

Cyberattacks and data breaches can have serious implications for organizations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread.

The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.

Working backup access denied

21% of the survey respondents said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organizations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.

In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.

“We have seen a sharp increase in the number of ransomware cases since lockdown began,” comments Philip Bridge, president of Ontrack. “Unfortunately, this is at a time when more distractions at home have led to an increased amount of complacency by staff. For example, clicking on ransomware- infected links that they wouldn’t click if they were in the office.”

Remote working creating major vulnerabilities

Whilst there are numerous benefits, the remote working seen during lockdown can leave a business’s IT network and systems vulnerable. It adds a huge number of endpoints to organizations that may not have been there previously. Plus, many of them are considered shadow IT and have not been vetted by the employer.

“The threat of ransomware has never been greater. The fact that only 39% of respondents to our survey have an emergency plan in place for a ransomware attack is shocking. They are gambling with their and their customer’s data.

“It is imperative, now as ever, to ensure your organization has processes and procedures in place to mitigate the impact of any cyber-attack and protect sensitive data,” adds Bridge.

Because IT security and the C-suite are misaligned, digital transformation increases cyber risk

While digital transformation is understood to be critical, its rapid adoption, as seen with cloud providers, IoT and shadow IT, is creating significant cyber risk for most organizations. Today, these vulnerabilities are only exacerbated by misalignment between IT security professionals and the C-suite.

digital transformation cyber risk

The research by CyberGRX and Ponemon Institute surveyed 900 IT security professionals and C-level executives covering financial, healthcare, industrial, public sector and retail industries.

Digital transformation is increasing cyber risk

Digital transformation is increasing cyber risk, and IT security has very little involvement in directing efforts to ensure a secure digital transformation process. Such misalignment of resources is illustrated by 82% of respondents believing their organizations experienced at least one data breach as a result of digital transformation.

Fifty-five percent of respondents say with certainty that at least one of the breaches affecting their organization was caused by a third party.

Digital transformation has increased reliance on third parties

Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT; and many organizations do not have a third-party cyber risk management program.

Sixty-three percent of respondents say their organizations have difficulty in ensuring a secure cloud environment and 54% of IT security professionals say avoiding security exploits is a challenge.

Additionally, 56% of C-level executives say their organizations find it a challenge to ensure third parties have policies and practices that ensure the security of their information.

IT security and C-suite misalignments

Conflicting priorities between IT security and the C-suite create vulnerabilities and risk. These two groups do not agree on the importance of safeguarding risk areas, including high value assets.

IT security respondents are more likely to say the rush to produce and release apps, plus the increased use of shadow IT, are the primary reasons their organizations are more vulnerable following digital transformation.

But in contrast, C-level respondents say increased migration to the cloud and increased outsourcing to third parties makes a security incident more likely. The majority of C-level respondents do not want the security measures used by IT security to prevent the free flow of information and an open business model.

Inadequate budgets

Budgets are, and will continue to be, inadequate to secure the digital transformation process. The majority of organizations do not have adequate budget for protecting data assets and don’t believe they will in the future. In fact, only 35% of respondents say they have such a budget.

Because of the risks created by digital transformation, respondents believe the percentage of IT security allocated to digital transformation today should almost be doubled from an average of 21% to 37%. In two years, the average percentage will be only 37% and respondents say ideally it should be 45%.

“If there’s one major takeaway from our research, it’s that digital transformation is not going anywhere. In fact, organizations should expect—and plan for—digital transformation to become more of an imperative over time,” says Dave Stapleton, CISO, CyberGRX.

“For this reason, organizations must consider the security implications of digital transformation and shift their strategy to build in resources that mitigate risk of cyberattacks.

“Based on these findings, we recommend involving organizations’ IT security teams in the digital transformation process, identifying the essential components for a successful process, educating colleagues on cyber risk and prevention, and creating a strategy that protects what matters most.”

Security personnel and senior management need to unite

The research identifies trends and best practices from organizations that had mature digital transformation programs in place. These findings suggest that across organizations, flexibility and collaboration—particularly between IT teams and C-level executives—will be key to ensure digital transformation that is both efficient and secure.

Going forward, it is imperative that C-level executives comprehend the level of risk they take on when they become vulnerable to reputational damage brought on by security incidents involving third-party relationships.

At the same time, both security personnel and senior management need to unite on a strategy that lowers the organization’s cyber risk profile while keeping key business goals and operations in sync. Finally, significant investments in skilled personnel and the technologies that secure and protect data and assets must be made to reduce third-party risk.

Home workplaces introduce new risks, poor password hygiene

Entrust Datacard released the findings of its survey which highlights the critical need to address data security challenges for employees working from home as a result of the pandemic based on responses from 1,000 US full-time professionals.

home workplaces password hygiene

As social distancing mandates took effect in March 2020, employers found themselves in a massive remote work experiment, testing their cybersecurity readiness. Home workplaces introduce new risks as many employees find themselves distracted and are using personal devices to connect to corporate resources.

Bad actors have taken advantage – there was a 350 percent increase in phishing attacks in March, according to Google data.

Home workplaces and password hygiene

When it comes to home workplaces, password hygiene is of the utmost importance. Despite this, the survey found that an astounding 42 percent of employees surveyed still physically write passwords down, 34 percent digitally capture them on their smartphones and 27 percent digitally capture them on their computers.

Additionally, nearly 20 percent of the employees are using the same password across multiple work systems, multiplying the risk of sensitive data if a password is compromised or stolen.

“While many employees are set up to work securely by their employers, they continue to seek simplicity, even if that means insecure password practices and higher risk. As organizations continue to support employees working from home, it’s clear that they need to ramp up cybersecurity training and technology,” said James LaPalme, Vice President & General Manager of Authentication Solutions at Entrust Datacard.

“Encryption combined with advanced authentication, including passwordless solutions that leverage smartphone biometrics, can deliver the frictionless experience employees seek and the confidence organizations require. These solutions will one day make World Password Day obsolete and I don’t think employees or employers will miss it.”

In addition to password practices, the survey revealed several insights into employee sentiment toward remote work and cybersecurity.

Nearly half of workers are receiving COVID-related phishing emails

Employees surveyed are well aware both of phishing scams in general (82 percent) and of phishing scams specifically related to COVID-19 (81 percent) – in fact, 45 percent say they have received a COVID-19-related email from an unknown sender.

Despite this high awareness, roughly one-quarter (24 percent) of employees say they’ve clicked on a link from an unknown sender before determining their legitimacy, while just 36 percent deleted the email and only 12 percent reported the email.

Workers not set up properly for good cyber-hygiene while remote

The majority of employees surveyed (63 percent) are connecting to their company’s VPN during this time, yet they are using unique passwords to access different company resources (64 percent), rather than a more secure solution like single sign on with multifactor authentication.

Anxiety and inadequate technology as key remote work challenges

Most employees (59 percent) surveyed find it more difficult to get their work done while working remotely during the pandemic. Of those who said it’s more difficult, 26 percent are finding it much more difficult.

External distractions, COVID-19 related anxiety and inadequate amenities (i.e. slow internet) are the top three-cited reasons for this heightened difficulty. Additionally, remote workers in education, government, healthcare and manufacturing cite the challenge of work duties that do not always translate to remote work.

Remote workers are sharing devices with family members

While working from home under stay-at-home orders, 36 percent of employees surveyed are using one or more personal devices to access company files — these create opportunities for employees to make use of shadow IT, creating risks (i.e., phishing, malware, DDoS).

Moreover, 29 percent of those using one or more personal devices to work share that device with other members of their household, creating further risk.

Consumers are skeptical their personal data is safe

Survey respondents feel less confident about their security when handling personal business. Sixty-eight percent of respondents are doing more personal business online during the pandemic, including shopping, banking and social media, and more than half (58 percent) are skeptical of the level of security provided by these online vendors and service providers.

Employees — particularly Gen Z — don’t expect a return to the office as usual

Social distancing mandates have forced employers to embrace remote work, and employees to rethink their expectations. Forty-four percent of all respondents expect to work from home either more frequently (33 percent) or permanently (11 percent).

These percentages are markedly higher among Gen Z (ages 18-23) employees, fully half of whom (50 percent) do not anticipate a return to work as usual.

Shadow IT accounts with weak passwords endanger organizations

63% of enterprise professionals have created at least one account without their IT department being aware of it, and two-thirds of those have created two or more, the results of a recent 1Password survey have revealed.

Even more worryingly, only 2.6% of these 63% use a unique password when they create a new shadow IT account at work and just 13% use a password generator – the rest re-use a memorable password or use a pattern of similar passwords.

shadow IT passwords

The danger of shadow IT and weak passwords

As we wait for a more authentication secure solution to find its way into mainstream usage and achieve widespread acceptance, we have to find a way to minimize the risks that come with password use.

For enterprises, one of the risks is tied to shadow IT: the IT systems/solutions used by its employees without their use being authorized and supported by the IT department.

“Say Carlos [in marketing] populates Airtable with customer data for his email campaigns, and Anita [in legal] checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about,” 1Paasword CEO Jeff Shiner explained.

“If one of these services suffers a breach, the company won’t know it affects them, which leaves them powerless to secure their data after the event. It also means they’ll be unable to disclose it to their customers. This could leave any company facing costly fines and a huge loss of trust in its operations.”

Individual accounts could also be compromised by attackers if they are secured by weak an/or re-used passwords or it the employee shared the password with a colleague in an insecure manner – as most who have did:

shadow IT passwords

Finally, former employees might retain access to their shadow IT accounts and their contents after they leave the organization.

“At worst, this company data could be shared with a competitor; at best, it’s left dormant and hidden, but it still puts the company at risk if the service is breached,” Shiner noted.

The solution

The pragmatic solution to the shadow IT problem is not banning it, but finding a way to bring it all back under the IT department’s control, he believes.

Promoting and encouraging the use of a password manager for creating strong, unique passwords for all accounts, storing them and sharing them securely can help with the unseen password problem.

How IoT devices open a portal for chaos across the network

Shadow IoT devices pose a significant threat to enterprise networks, according to a new report from Infoblox.

shadow IoT devices

The report surveyed 2,650 IT professionals across the US, UK, Germany, Spain, the Netherlands and UAE to understand the state of shadow IoT in modern enterprises.

Number of shadow IoT devices growing exponentially

Shadow IoT devices are defined as IoT devices or sensors in active use within an organization without IT’s knowledge. These devices can be any number of connected technologies including laptops, mobile phones, tablets, fitness trackers or smart home gadgets like voice assistants that are managed outside of the IT department.

The survey found that over the past 12 months, a staggering 80% of IT professionals discovered shadow IoT devices connected to their network, and 29% found more than 20.

The report revealed that, in addition to the devices deployed by the IT team, organizations around the world have countless personal devices connecting to their network. The majority of enterprises (78%) have more than 1,000 devices connected to their corporate networks.

“There are more than 25 billion connected devices globally, and that number is increasing exponentially,” said Brad Bell, CIO of Infoblox.

“IoT devices empower us to live healthier lives, gain greater insight into the world around us, and improve the ways businesses operate. But they can also present a serious cybersecurity risk and create challenges for IT leaders in their efforts to maintain and protect their network.”

Threat to branch offices

89% of IT leaders were particularly concerned about shadow IoT devices connected to remote or branch locations of the business.

“As workforces evolve to include more remote and branch offices and enterprises continue to go through digital transformations, organizations need to focus on protecting their cloud-hosted services the same way in which they do at their main offices,” the report recommends.

“If not, enterprise IT teams will be left in the dark and unable to have visibility over what’s lurking on their networks.”

To manage the security threat posed by shadow IoT devices to the network, 89% of organizations have introduced a security policy for personal IoT devices. While most respondents believe these policies to be effective, levels of confidence range significantly across regions.

For example, 58% of IT professionals in the Netherlands feel their security policy for personal IoT devices is very effective, compared to just 34% of respondents in Spain.

“As the complexity of networks continues to increase, IT teams will need to leverage solutions that help simplify networking procedures and make it easier to identify and track the security policies of devices connected to their network,” continued Bell.

“If IT managers want to address the challenge posed by shadow IoT devices, they will need to find ways to bring them into the light.”

52% of companies use cloud services that have experienced a breach

Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey.

accessing cloud services

Anonymized cloud event data showing percentage of files in the cloud with sensitive data

While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting. In addition, 52 percent of companies use cloud services that have had user data stolen in a breach.

By leaving significant gaps into the visibility of their data, organizations leave themselves open to loss of sensitive data and to regulatory non-compliance.

Cloud services have replaced many business-critical applications formerly run as on-premises software, leading to a migration of sensitive data to the cloud. Use of personal devices when accessing cloud services, the movement of data between cloud services, and the sprawl of high-risk cloud services drive new areas of risk for companies using the cloud.

For organizations to secure their data they need a thorough understanding of where their data is and how it is shared – especially with the rapid adoption of cloud services.

As part of this report, McAfee surveyed 1,000 enterprise organizations in 11 countries and investigated anonymized events from 30 million enterprise cloud users to gain a holistic view of modern data dispersion.

Shadow IT continues to expand enterprise risk

According to the study, 26 percent of files in the cloud contain sensitive data, an increase of 23 percent year-over-year. Ninety-one percent of cloud services do not encrypt data at rest; meaning data isn’t protected if the cloud provider is breached.

Personal devices are black holes

Seventy-nine percent of companies allow access to enterprise-approved cloud services from personal devices. One in four companies have had their sensitive data downloaded from the cloud to an unmanaged, personal device, where they can’t see or control what happens to the data.

Accessing cloud services: Intercloud travel and risk

Collaboration facilitates the transfer of data within and between cloud services, creating a new challenge for data protection. Forty-nine percent of files that enter a cloud service are eventually shared.

One in 10 files that contain sensitive data and are shared in the cloud use a publicly accessible link to the file, an increase of 111 percent year-over-year.

accessing cloud services

Anonymized cloud event data showing percentage of files shared in the cloud with sensitive data using a public access link

A new era of data protection is on the horizon

Ninety-three percent of CISOs understand it’s their responsibility to secure data in the cloud. However, 30 percent of companies lack the staff with skills to secure their Software-as-a-Service applications, up 33 percent from last year. Both technology and training are outpaced by the rapid expansion of cloud.

“The force of the cloud is unstoppable, and the dispersion of data creates new opportunities for both growth and risk,” said Rajiv Gupta, senior vice president, Cloud Security, McAfee.

“Security that is data-centric, creating a spectrum of controls from the device, through the web, into the cloud, and within the cloud provides the opportunity to break the paradigm of yesterday’s network-centric protection that is not sufficient for today’s cloud-first needs.”