Monthly Cloud Security Roundup: The Least Secure Industry (According to Hackers), the Cybersecurity Skills Shortage, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the acquisition of Vlocity by Salesforce, Desjardins’ data breach costs, the cybersecurity skills shortage, the least secure industry according to hackers, and more.
Ask hackers which industry they think is the least secure, and the group consensus is technology. HackerOne surveyed thousands of hackers, and almost one in five agree that the technology industry has the most room to improve. 18% agreed that technology was the least secure, followed closely behind by government (16%) and finance (14%).
What does this mean for vulnerable industries? There are many weak areas of security operations that need to be addressed. Hackers predominantly look for security gaps in organizations across the world, many to help companies locate and remediate vulnerabilities. However, if one ethical hacker can use their tools and intelligence to find a way into a network, so can a malicious actor. To avoid a massive data breach and other consequences, review your current security layers and ask whether you have the elements necessary to provide a defense-in-depth architecture that secures your organization at many layers. Security is everyone’s responsibility, and the most secure industries use robust defense-in-depth posture to avoid security and privacy incidents like data breaches.
CRM giant Salesforce recently announced their acquisition of independent software vendor (ISV) Vlocity for $1.33 billion. Vlocity builds Salesforce platform solutions that are specific to certain industries – communications, media, energy, insurance, health, and government. By empowering enterprises with tailored solutions, Vlocity enables those businesses to obtain full functionality from the Salesforce platform. With its robust processes and features, Vlocity saves customers time spent building Sales and Service Cloud solutions from scratch. According to reports, Vlocity will fit in effortlessly with Salesforce’s current suite of products, including Financial Services Cloud and Health Cloud.
“The best customer experiences are industry specific. Together, our customers, our partners, and our employees have accomplished so much. I am thrilled about our future with Salesforce.”
– David Schmaier, CEO and Founder, Vlocity
A 2019 data breach that affected 4.2 million members is going to cost Desjardins Group more than expected. Far more. Originally, the Quebec-based financial institution predicted the cost of the data breach – caused by a malicious employee – would be $70 million. But a recent announcement reveals that the breach will ultimately cost the company $108 million.
The breach occurred last year when an employee intentionally abused their privileged access to banking details like loans and savings information. As a result, the data of the 4.2 million Desjardins customers in Quebec and Ontario was exposed. Months after the breach was detected, Desjardins discovered that an additional 1.8 million non-customer credit cardholders were also affected. The employee was fired, and Desjardins offered free identity protection for Quebec and Ontario members.
“The impact is less than one percent of its $18 billion in revenues in 2019. While it may seem like a large amount, Desjardins has ample capacity to absorb the expense.”
– Guy Cormier, CEO, Desjardins Group
Marlin Hawk recently published the Global Snapshot: The CISO in 2020 report, which revealed that 66% of CISOs are floundering in the face of the massive cybersecurity skills shortage. More than half of Chief Information Security Officers report they struggle when it comes to recruiting talent that brings the right technical knowledge, experience, and cultural fit to the table. Many CISOs also report feeling pessimistic that the shortages will improve in the coming months and years – 62% think the global cybersecurity talent shortage will worsen over the next five years. Companies in the Asia-Pacific region are feeling the struggle the most, with 91% of respondents agreeing that finding the right talent was difficult. 61% in the UK and 54% in the U.S. agree.
Why is top talent so hard to attract and retain? The report indicates that “brain drain” and low compensation are largely to blame, although many are simply interested in pursuing other roles.
The SonicWall Cyber Threat Report revealed a 52% rise in SaaS application attacks from 2018 to 2019. This dramatic increase affirms the trend towards attackers targeting web applications to access sensitive information stored on mobile devices like credit card information, names, birthdates, social security numbers, and more. According to the report, the most targeted web apps are SharePoint, Atlassian Confluence, Slack, G Suite, Dropbox, and other popular business platforms. Now is the time to review your application-level security solutions and evaluate whether you’re doing enough to protect your SaaS apps from data breaches.
“For the cybercriminals, it’s more lawless than ever. Despite the best intentions of government agencies, law enforcement, and oversight groups, the current cyber threat landscape is more agile than ever before.”
– Bill Conner, President and CEO, SonicWall
The Department of Homeland Security (DHS) reported that a natural gas compression plant in the United States was shut down for two days in the aftermath of a ransomware attack. The incident originated with a spear-phishing email – a fraudulent email made to look like it’s from a trusted source to access sensitive information like passwords or credit card numbers. The hacker used the email to access the facility’s IT and OT networks, where they infected Windows systems with unidentified ransomware that compromised human-machine interfaces, data historians, and polling servers.
The attack was successful because the victim was unprepared – the IT and OT networks were unsegregated, which gave the hacker access to both as soon as one was compromised. Cyber threats should be considered when planning for risk as much as physical threats, especially as cyberattacks grow in prominence. In this case, proper security training with tips for identifying phishing emails could have prevented a mass disruption in processes for the plant. While the facility never lost control of operations, they were unable to access real-time data, which required the plant to cease operations for two whole days.
The Department of Defense sent breach notification letters to employees of the Defense Information Systems Agency (DISA), informing them about the cybersecurity incident that occurred between May and July of 2019. DISA is responsible for securing and managing telecommunications and IT support for the White House, military, and U.S. diplomats. Hackers compromised an agency system, exposing as many as 8,000 government employees’ personal information, including social security numbers. The DOD has not provided additional information about the breach but stated it had no evidence that personal data was abused before sending notices to employees.
DISA is offering free credit monitoring to all those affected by the incident. The leak has raised concerns over the security of communications leading up to the 2020 presidential election. In response, DISA has confirmed that they’ve employed additional security measures to monitor systems and protect data.
“It is an unfortunate situation and another in a long list of breaches as we head into 2020. Organizations need to get better at how long it takes to be aware of a compromise and how quickly they can respond. Visibility into how systems are used is key.”
– Chris Morales, Head of Security Analytics, Vectra