I happened to catch a blog by noted security expert and senior security advisor to the Office of the CISO at Google, Dr. Anton Chuvakin, summarizing the Google Cybersecurity Action Team’s September 2022 Threat Horizons Report. The doughnut graph (I’d call it a pie graph except there’s a hole in the middle) Dr. Chuvakin called out affirms a frustratingly persistent problem with cloud security and cybersecurity in general: organizations aren’t paying attention to block-and-tackle hygiene.
The top two factors in cloud compromise—weak or no credentials (57.4%) and misconfigurations (13%)—represent otherwise avoidable conditions that could save organizations the headache of suffering a data breach either at the hands of attackers or because of a mistake. You know the kind of mistake I’m talking about: someone left sensitive data exposed on a server or in cloud storage, someone sent information to the wrong party, someone forgot to encrypt data before transferring it to a third party. The 2022 Verizon Data Breach Investigations Report found that 82% of all data breaches involve human error at some level.
Here at Coviant Software we talk a lot about the frustrations of avoidable human error in data breaches. We do not exult when companies are breached and even if a competitor were involved, we would never use the event as an occasion to gloat or wag our finger. Fallibility is endemic to the human condition and self-righteousness is never a good look. The Good Book warns that pride goeth before a fall, and so, while we are persistent in our reminders, and may sometimes use current events as illustrations of the fact, that is as far as we’ll go. Karma, to mix our religious metaphors, is a bitch.
We see it all the time in our little niche of the cybersecurity world. Whether out of ignorance, or the belief that the do-it-yourself approach might save a dollar or two, organizations try to make do with shortcuts like email, cloud-based file sharing tools, or custom scripts written by someone in IT. Those approaches fall far short of the standards required when working with regulated data like personally identifiable information (PII), protected health information (PHI), financial data, intellectual property, and others covered under regulations like HIPAA, GLBA, SOX, GDPR, and more.
At the risk of sounding like a broken record, please stop doing that. There’s a much better way, and it’s probably a lot more cost effective (i.e., cheaper) than you think. Certainly it’s cheaper than paying the $4.35 million average cost of getting breached. Google’s Threat Horizons Report emphasizes the use of good governance in avoiding unfortunate security events. Page 19 of the report says:
Appropriate cloud governance can address the risks discussed earlier. As data volumes and application capabilities grow, cloud administrators are interested in understanding:
- The cloud data’s location, including the projects it is being shared with
- If the data contains any sensitive information, and how data contents are changing over time
- If applications and workloads are implementing appropriate security controls, given dataclassifications, including providing support for regulations – like data residency – as required
Our Diplomat MFT secure managed file transfer software can play a role in that governance. We integrate easily with Google Cloud (and all the major cloud providers), and so our software can help ensure files shared to and from the cloud are handled securely. Our automations help to minimize the risk of human error as well, ensuring that files are encrypted with OpenPGP, sent via secure protocols like SFTP, scheduled to occur reliably on-time, and that t hey are sent to the right destination. Should anything go wrong during the process, we alert the right people and provide information to diagnose the reason. And Diplomat MFT also documents every action taken so that audits are a breeze when needed.
Diplomat MFT is recognized as the best value in the managed file transfer market, and if you missed the recent news, we were also found to be the best in the industry according to a study of customer feedback conducted by the independent SoftwareReviews. Check it out for yourself, with no obligation, by downloading a trial of our software. Just fill out the form below.