This report from Gartner reveals cybersecurity predictions about culture, the evolution of a leader’s role, third-party exposure, and the board’s perception of cyber risk. Download the report to learn key findings, market implications, and recommendations.
To protect your organization against cyber security risks, it’s important to have a cyber risk management program in place. But does your organization’s program take into consideration its entire attack surface – including the cloud?
If your business stores digital assets in the cloud, it could be vulnerable to attack. According to the 2021 Verizon Data Breach Investigations Report (DBIR), in 2020, 73% of all cyberattacks targeted cloud assets. That statistic is punctuated in a separate study by Oracle and KPMG, which found that three-quarters of organizations have experienced data loss from a cloud service more than once.
For this reason, it’s imperative that you audit your organization’s cloud security posture. But when you’re operating in someone else’s data center, where do you start? Let’s look at the five essential items to include in your cyber security audit checklist.
1. Assess your cloud providers’ security postures
Your business wouldn’t enter into a relationship with a vendor whose security posture is weak, and the same caution should be applied to your cloud service providers.
For that reason, it’s important that you review each cloud service provider’s security policies and protocols so you can learn how they secure their data centers and cloud infrastructures.
But don’t just take their word for it. Trust, but always verify. You can do this by independently assessing each provider’s security posture using BitSight Security Ratings.
Security ratings work by automatically and continuously monitoring a cloud provider’s entire digital ecosystem for security issues, such as vulnerabilities and malware. Ratings also measure adherence to security best practices and compliance with cybersecurity frameworks.
Findings are presented as an easy-to-understand numerical score, with a higher rating indicating a strong security posture. With this insight, you can make confident, data-driven decisions about whether to enter into a cloud services agreement with a particular vendor – especially one that will host your most sensitive data.
You can also use security ratings to monitor changes to the vendor’s security posture over time. If security risk creeps into the relationship, you can share findings with the vendor so they can take steps to remediate the issue.
2. Understand your extended attack surface
Cloud consumption can create visibility blind spots. In fact, the Oracle/KPMG study found the biggest cloud security challenges organizations must overcome are a lack of visibility into software vulnerabilities and misconfigured cloud services that expose servers to cyber risk. Unfortunately, traditional cyber security audits and cyber security assessments don’t always scale into the cloud (particularly multi-cloud environments), making it hard to discover how secure your cloud-hosted assets are.
Instead, consider adding attack surface monitoring technology to your cyber security audit checklist. By continuously analyzing your cloud environment, you can quickly identify your organization’s cloud assets and any gaps in your security controls. You can also identify areas of concentrated risk, such as a misconfigured web application firewall, and prioritize that asset for remediation. The technology even reveals hidden security issues that may be lurking in shadow IT.
With visibility into the risk profile of all your cloud assets, your organization will also solve the challenge of the shared responsibility model. After all, you can’t secure what you can’t see.
3. Review access controls
Access management violations are among the most common cloud security risks. And the damage done can be significant. Take, for example, the recent Colonial Pipeline ransomware attack which was made easy for hackers due to a lack of multi-factoring authentication requirements for employees.
Use your cyber security audit checklist to periodically review your organization’s access control policies and multi-factor authentication requirements. Then, over time, ensure that security teams are regularly auditing permission rights and monitoring user activity in the cloud.
4. Audit your patching cadence
Research suggests that it takes the average organization 38 days to patch a vulnerability – and that’s a problem. A BitSight study found that organizations who are slow to patch systems and software are seven times more likely to be a victim of ransomware than those that maintain a regular patching cadence.
Finding gaps in both your cloud and on-premises patching program isn’t easy. A sea of alerts and a lack of resources can hamper efforts. Fortunately, you can use BitSight Security Ratings to continuously identify unpatched systems(wherever they’re located), prioritize which patches are most critical, and allocate resources where they are needed most.
5. Review data loss prevention policies
The convenience of the cloud makes it easy for any user to access and share information with the click of a button. But this can introduce risk. Employees may download a file containing sensitive information over public Wi-Fi or share it with someone outside the organization.
Be sure to review your organization’s data loss prevention policies and, if necessary, establish rules that limit document sharing, quarantine files before they are shared, or warn the user against file sharing with external email domains.
Continuous visibility is key
Surveys and reports continue to underscore the security challenges of moving to the cloud. Yet, cybersecurity teams are still playing catch-up, resulting in a cloud security readiness gap. To mitigate the risk created by this situation and accurately assess and manage enterprise risk, your cyber security audit checklist must include measures that provide broad and continuous visibility into the security posture of your cloud assets and that of your cloud service providers. Only then is focused and effective risk mitigation possible.