Prioritizing AppSec and data governance in 2021
For many organizations, the immediate shift to remote work meant IT pros had to manage a hyper-accelerated, mass cloud migration coupled with large-scale SaaS platform rollouts. Daily users of Microsoft Teams, for example, rose from 75 million to 115 million in less than six months. Now that the first tidal wave of digital transformation has passed, IT and security teams should recalibrate and reprioritize application security and data governance in 2021 and beyond.
And while the pandemic has underscored major SaaS platform security concerns, including a rise in sophisticated cyber threats, research indicates many organizations still struggle with the fundamental tasks needed to secure the workforce -- both remote and on-prem. Here are three common mistakes and how to avoid them.
Ignoring basic security best practices
SANS Software Security has found that 99.9 percent of data breaches can be prevented using multi-factor authentication (MFA), a common security best practice using two or more controls to authenticate a user’s true self. Unfortunately, additional research indicates 97 percent of total Microsoft 365 (M365) users do not use MFA. This creates unnecessary risk during a time where cybercriminals are increasingly targeting login credentials.
Some credentials are more enticing to cybercriminals than others. Privileged credentials, such as administrator accounts, give users more access to modify, share or delete critical data. According to research, 78 percent of M365 administrators do not have MFA activated, making them an ideal target for cyberattacks. Once inside the network, cybercriminals can move laterally between accounts, resources and even organizations.
Granting admins and users excessive permissions
In today’s modern workforce, most collaboration takes place virtually. This trend comes with its own unique set of challenges, including setting up new devices and digital accounts. As new accounts are introduced, it is crucial IT focus on setting appropriate, least-privilege access controls to shore up on security.
However, many global organizations continue to give excessive permissions to users:
- 57 percent of global organizations have M635 admins with excess permissions to access, modify and share critical data
- 17 percent of M365 admins are Exchange admins, meaning they can see and do whatever they want on any employee’s inbox, including the CEO’s
Additionally, research has found that 36 percent of M365 admins are Global Admins, meaning they can essentially do whatever they want in M365, including create new accounts, impersonate users or delete historical data. Microsoft suggests limiting the number of Global Admins to two to four operators max per business to bolster security.
Shadow IT with no oversight
There has been a major uptick in the adoption of digital technologies which are transforming every aspect of modern business. This flood has impacted the rise of Shadow IT; the (mostly) SaaS applications that employees use, typically without IT permission or even knowledge. The lack of oversight on unsanctioned apps introduces new security risks, including the possibility of siphoned data or the sharing of sensitive company information. As such, Gartner has predicted that one-third of successful attacks in 2020 will be (were?) against Shadow IT resources.
To combat this trend, employees should be educated on the risks associated with downloading unauthorized apps. Training employees on the ins and outs of organization-backed SaaS apps can also help cut down on employee frustration and workarounds.
The COVID-19 pandemic has undoubtedly turned the way we work upside down. With an initial, large-scale digital transformation in the rear view, IT and security teams must now pause and reflect. To move forward, organizations should first ensure they have the right tools and processes in place, then prioritize the basics: emphasize security best-practices, implement least-privilege access controls when possible, and stop Shadow IT apps from introducing unnecessary risk. A renewed focus on application security and data governance will help kick the new year off right -- no matter what comes next.