What the Deloitte Email Breach Can Teach Us
Last week we discussed how addressing privacy as part of a cybersecurity strategy can help organizations unlock the value of data through the responsible use and handling of all data, especially sensitive material. As effective as this approach is, once the data is shared outside company systems, it’s out of the company’s control. This loss of control is particularly applicable when discussing the use of email and cloud solutions – a platform that hosts data for organizations at a fraction of the cost, but outside a company’s firewall.
Take for example the recent breach of accounting giant Deloitte’s email systems. This breach not only affected Deloitte employee emails, but messages from approximately 350 clients, , including including four US government departments, the United Nations and some of the world’s biggest multinationals.
These clients may well have very secure email systems on premise or in the cloud, but it doesn’t matter. When their business partner’s email was breached, their sensitive information was exposed. This example puts a fine point on what we all should know — when you share information with others, you delegate some of your information to security to their teams and the systems they use.
Since more organizations are moving their email and file shares to the cloud, let’s take a closer look at these systems. We know that cloud providers continue to enhance cloud data security. But what happens when your information is shared outside the cloud provider (think email and file sharing services). The loss of control that the data owners face is immeasurable. So too is the decreased security and transparency that data owners have with regards to who sees the data and where the data travels. Few technologies better embody this loss of control than cloud platforms.
We live in the early era of cloud technology, defined mostly by cloud’s ability to provide a cost effective, scalable, and easy to maintain solution for organizations of all sizes to leverage, particularly with services like email and file sharing. Yet, to the IT security expert, cloud also points to increased risk exposure and a greater attack surface.
But the reason for this exposure isn’t obvious. Most assume that by moving critical enterprise data to the cloud that they’re now reliant on a third party with unknown security posture to protect to their data. But in reality, cloud providers like Google, Microsoft, and Amazon have bigger and more sophisticated cloud data security operations than most enterprises. The real risk comes from the data sharing that often occurs after information has been stored in the cloud.
A good example of this danger is Salesforce.com’s recent leaked M&A target list. An email containing sensitive information was sent by Salesforce CEO, Marc Benioff, using a secure cloud system (Google G Suite) to Colin Powell, a board member. However, since Powell’s personal system was breached, Benioff’s M&A list was eventually found by hackers and leaked to the press.
In a similar fashion, Snapchat CEO Evan Spiegel recently expressed anger in a note to his staff about the public airing of business details in leaks that stemmed from a board member, Michael Lynton, who happened to be the CEO of Sony and was a victim of the infamous Sony email hack of 2014.
Two Keys to Protecting Data in the Cloud Era
Safeguarding information today, even when it leaves the enterprise firewall, requires a data-centric approach toward cybersecurity that protects your information no matter where it’s hosted or shared. This approach includes a strong understanding regarding the value of data, including data awareness, as well as the tools to drive effective data encryption.
Data awareness entails understanding your organization’s data and classifying it based on sensitivity. Broadly speaking, data that requires protection is either regulated information or corporate sensitive information like IP, trade secrets or financial reports. Roughly 2/3 of enterprise data falls into one of these two categories. The remaining 1/3 of information is non-sensitive (often referred to as “default”), which often contain mundane office communications.
Cataloguing, classifying and understanding data is important but ultimately this approach should be supported by powerful data protections, including strong encryption. Additionally, not all encryption is created equally. Robust encryption provides protection that travels with the data. Effective encryption should also protect data at rest and in transit, since this is the only way to ensure protection within cloud environments where administrators can’t monitor the physical servers.
Organizations should also look for encryption that includes features and added cloud data security measures, such as the ability to audit access attempts, restrict data forwarding, and set messages to expire, as well as revoking access if needed – such as when a previously authorized user leaves the company. These features compliment any data awareness strategy.
Below is an example of how data classification can be used to determine data protection actions.
The cloud is growing at exponential levels. Even though reinforcing data and network security is a primary focus for cloud providers, this dedication does not offer the same level of control and security for clients as commonly found in internal corporate networks. In order to leverage the cloud, while keeping data secure, organizations need to be aware of how their data is shared and take steps to audit and control access to sensitive information. And every piece of sensitive data, no matter where it moves or ends up being stored, should be protected commensurate with its sensitivity.