Cloud Security Roundup: Salesforce Buys Slack, Top Cybersecurity Threats, CPRA Amends CCPA, and More

Cloud Security Roundup Salesforce Buys Slack, Top Cybersecurity Threats, CPRA Amends CCPA, and More

Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last few weeks. In this post, we discuss Salesforce’s acquisition of Slack, CPRA’s changes to CCPA, top cybersecurity threats to watch for, COVID’s impact on compliance, and more.

Salesforce acquires Slack for $28B

CRM giant Salesforce recently announced the acquisition of chat software company Slack. The deal, which has an enterprise value of $27.7 billion, is the largest in Salesforce’s history. Salesforce isn’t new to acquisitions; the company purchased Tableau for $15.3 billion in 2019 and MuleSoft for $6.5 billion in 2018.

Salesforce CEO Mark Benioff said the combination of Salesforce and Slack is a “match made in heaven.” The company plans to incorporate Slack into the Salesforce Customer 360 software by using the Slack interface.

The sale is expected to close around mid-2021.

“Together, Salesforce and Slack will shape the future of enterprise software and transform the way everyone works in the all-digital, work-from-anywhere world. I’m thrilled to welcome Slack to the Salesforce Ohana once the transaction closes.”

– Mark Benioff, Co-Founder and CEO, Salesforce

California amends CCPA with CPRA

California citizens recently voted to amend the state’s landmark privacy legislation, the California Consumer Privacy Act (CCPA). California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which builds on CCPA by:

  • Expanding the definition of businesses to which CCPA applies
  • Limiting not just selling personal information but also sharing
  • Establishing the California Privacy Protection Agency (CPPA) to enforce the law
  • Creating a new category of information called “sensitive personal information”
  • Giving consumers the right to request a business correct incorrect personal information
  • Expanding consumers’ private right of action
  • Levying data minimization and data retention requirements on businesses

The CPRA changes will take effect on January 1, 2023. Until then, the California Office of the Attorney General will continue to enforce and revise CCPA.

Over 25% of cybersecurity incidents related to COVID

The UK’s National Cyber Security Centre (NCSC) published its yearly review, which cited the response to COVID’s accompanying cyber threats as the predominant theme of 2020. The report identified that more than 200 of the 723 cyber incidents the NCSC responded to over the last twelve months were COVID-related. The incidents primarily targeted the healthcare, education, and government sectors. Cybercriminals have leveraged the pandemic to instigate crippling attacks on organizations worldwide, leaving institutions like the NCSC to keep up with the increased number of attacks as well as changes in methodology and sophistication.

“We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the coronavirus outbreak. Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails.”

– Nicky Hudson, NCSC Director of Policy & Communications

Millions of hotel guests’ data exposed

Millions of guests’ personal information was exposed after a hotel software provider failed to adequately secure their cloud database settings. A misconfiguration led to the leak of more than 10 million log files, which contained personally identifiable information (PII) including full names, email addresses, phone numbers, credit card numbers, and more. The tech site’s security team discovered the breach and resolved it the next day. Despite there being no evidence of malicious activity, the organization can’t guarantee that PII wasn’t compromised.

The software provider may face compliance audits from GDPR and PCI DSS inspectors due to the incident.

Top 15 cybersecurity threats to watch

The European Union Agency for Cybersecurity (ENISA) recently published its Threat Landscape 2020 report, which identifies the top 15 cybersecurity threats that organizations are facing right now. According to the research, the top cybersecurity threats are:

  • Malware
  • Web-based attacks
  • Phishing
  • Web application attacks
  • Spam
  • Distributed Denial of Service (DDoS)
  • Identity theft
  • Data breaches
  • Insider threats
  • Botnets
  • Physical manipulation, damage, theft, and loss
  • Information leakage
  • Ransomware
  • Cyber espionage
  • Cryptojacking

Focusing on the insider threat, the findings show that 65% of the impact of insider threats include damage to an organization’s reputation and finances. And the majority (88%) of organizations agree that insider threats are cause for alarm.

Other notable findings from the report include that malicious actors are increasingly using social media channels to accelerate targeted attacks, financial gain remains the top motivation for cyberattacks, and most incidents take a very long time to be detected – if they’re uncovered at all.

50% of compliance pros say COVID has increased risk exposure

A new report from law firm Baker McKenzie revealed that half of compliance leaders worldwide feel that COVID-19 has heightened the risk exposure of their organization. The survey examined the technology and compliance challenges of the pandemic, focusing on new risks and emerging challenges for compliance teams trying to make critical technology decisions for their organization. The results show that while technology is a source of risk that needs to be carefully managed, it’s also an essential connector for compliance functions in organizations across industries.

The report also highlighted the rise of surveillance culture due to remote work, as companies try to monitor employee behavior to identify and mitigate risky activity. The researchers reinforced three primary risks to keep in mind for robust data protection: ethics and trust, due process, and data risk.

“Compliance leaders must be in a position to know and understand whether risks exist. For example, determining if data gaps are apparent because there are true gaps in the information available, or because of a failure in the technology itself. Without this knowledge, regulators could lack confidence in the robustness of internal compliance processes and investigations.”

– Joanna Ludlam, Co-chair, Global Compliance & Investigations, Baker McKenzie