Cloud Security Roundup: Shopify’s Insider Threat Data Breach, Security and Risk Trends in 2020, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the security and risk trends of 2020, Shopify’s insider threat data breach, new international cybersecurity guidelines, and more.
Gartner recently identified nine security and risk trends that have made the biggest impact on 2020 so far. The trends indicate the beginning of a critical shift for the security ecosystem that Gartner predicts will have a wide-ranging effect on the industry with the potential for large shakeups.
The top nine security and risk trends in 2020 are:
- Enhanced detection and response capabilities are improving productivity
- Security automation is saving time
- AI is creating new security responsibilities
- CSOs are uniting security-related siloes
- Privacy is its own discipline
- “Digital trust and safety” teams are fostering better customer relationships
- SASE technology is taking over LAN-based models
- Cloud security requires a full lifecycle approach
- Zero-trust is replacing VPNs
“The pandemic, and its resulting changes to the business world, accelerated digitalization of business processes, endpoint mobility and the expansion of cloud computing in most organizations, revealing legacy thinking and technologies.”
– Peter Firstbrook, VP Analyst, Gartner
A new report from Trend Micro revealed that 39% of employees use their personal devices – smartphones, tablets, and laptops – to access corporate data. According to the study, which surveyed over 13,000 remote employees worldwide, many of those personal devices aren’t secured, especially compared to their company-appointed counterparts. Even when using a secured device, home network security is generally inferior to that which a corporate environment provides, creating security gaps that could lead to a breach.
Experts recommend mitigating risky employee behavior by creating strict acceptable usage policies that prohibit using personal devices to access company data, increasing cybersecurity education and awareness training, and enhancing cybersecurity measures to reduce insider threats.
E-commerce company Shopify recently discovered a security incident caused by insider threats that affected around 200 merchants. The breach occurred when a pair of “rogue” employees on the company’s support team attempted to steal sensitive data from customer transaction records. With their privileged access to the Shopify network, the employees were able to access merchant and customer data, including names, emails, and addresses. Shopify confirmed that no financial information, including payment card data, was compromised during the incident.
Since discovering the unauthorized access, Shopify notified affected merchants, terminated the employees, and launched a law enforcement investigation. Fortunately, the company hasn’t reported any evidence of the data being misused, it has notified affected customers and merchants of the breach.
“It is unclear at this point what the precise motive of these insiders was, but all insider threats fall into one of three categories: fraud, sabotage or theft. Often insiders are not working totally alone, with research evidencing the tendency of colleagues to notice but ignore suspicious behavior.”
– Lisa Forte, Partner, Red Goat Cyber Security
The increase in remote workers has also led to a rise in data sprawl – data living in an overwhelming number of locations across an organization’s network. According to a survey, remote employees may save company data to an unprotected device on an unsecured home network, leading more than three-quarters of IT executives worried about rising levels of risk. Data sprawl may vary from department to department, but CIOs across the board have cited the increase in remote work (and unsecured networks) as the number one driver of data sprawl.
Organizations face the challenge of striking a balance between securing sensitive information while also permitting authorized users to access data to perform their job. Almost 50% of CIOs feel that employees have access to data they shouldn’t be able to, while 40% have encountered employees who couldn’t access data they should be able to. Experts recommend utilizing security techniques like zero-trust models (controlling access by trusting anyone by default, even insiders) and user activity monitoring to track data access and reduce the opportunity for risk while still enabling employees to do their job.
Along with a team of international allies, including the U.S. Cybersecurity and Infrastructure Agency (CISA), the UK National Cyber Security Centre (NCSC) released guidelines for organizations to protect themselves from malicious cyber attackers. “Technical Approaches to Uncovering and Remediating Malicious Activity” offers technical methods and best practices for safeguarding assets like company data as well as ways to detect threat activity and mitigate attacks.
“This advisory will help organizations understand how to investigate cyber incidents and protect themselves online, and we would urge them to follow the guidance carefully. Working closely with our allies, and with the help of organizations and the wider public, we will continue to strengthen our defenses to make us the hardest possible target for our adversaries.”
– Paul Chichester, Director of Operations, NCSC
The National Institute of Standards and Technology (NIST) has released its revised and updated version of NIST SP 800-53. The publication provides a selection of security and privacy controls that govern information systems and organizations to deflect threats and risks such as cyberattacks, insider threats, system failures, privacy risks, and more. Revision five introduces next-generation security and privacy controls for application security through runtime application self-protection (RASP) and interactive application security testing (IAST).
By adding RASP and IAST, NIST provides organizations with application security recommendations that reflect the changing threat environment. The revision brings much-needed light to application security, which can help IT and security teams identify security gaps before applications are launched, thereby reducing an organization’s risk.