“Rapid changes to where and how people access data can drive risk. Enterprises need to prioritize taking back control of their critical assets by detecting and securing unsanctioned assets, decommissioned services, and products, as well as their partners’ cloud storage or productivity applications,” says Todd Carroll, CISO, CybelAngel, in an exclusive interview with ITSecurityWire.
ITSW Bureau: How can a company effectively hide their sensitive data from ransomware?
Todd Carroll: Hiding sensitive data from cybercriminals has become nearly impossible and a pressing issue for organizations. Digital transformation, outsourcing and cloud-adoption are all critical, competitive advantages; however, the unintended consequence is that the data is well beyond the purview.
Today’s CISOs and their staff are dealing with an ever-expanding attack surface that includes third-party cloud applications, connected storage devices, open databases, and perhaps worst of all, are the shadow assets. Shadow IT includes cloud applications, web services, software, and devices that employees use without IT authorization to do work. According to the Everest Group, 50% of all enterprise technology budgets are spent outside of IT’s purview. Companies cannot address vulnerabilities if they are blind to their presence. Given this new reality, protecting sensitive data begins by having visibility.
ITSW Bureau: Even with cloud database systems, how are sensitive data being infiltrated?
Todd Carroll: Employees can sign-up for trial accounts of various Software as a Service (SaaS) tools for business development, marketing, employee benefits or other purposes. Unfortunately, entering live business data into ad hoc apps can be dangerous. If these applications are not configured properly (even during a demo phase) or not securely wiped, if abandoned, pockets of volatile data are created. This data is ripe for exposure and other combustible breach consequences that can have detrimental effects and be difficult to contain its impact.
ITSW Bureau: What are your suggested strategies in securing a company’s own digital footprint?
Todd Carroll: Rapid changes to where and how people access data can drive risk. Enterprises need to prioritize taking back control of their critical assets by detecting and securing unsanctioned assets, decommissioned services, and products, as well as their partners’ cloud storage or productivity applications.
Broken down into three stages, organizations need to manage:
Visibility – Gain an attacker-view of the external-facing shadow environment. Protect what is at risk efficiently.
Prioritize – Resolve high priority incidents first without losing time dealing with false positives and/or hygiene issues.
Actionable – Solve incidents quickly. This requires clear attribution of the incident – who was first affected – an employee, a third party, or partner.
ITSW Bureau: What do brands fail to understand about the risks of Shadow IT?
Todd Carroll: When employees use shadow IT, they become easy prey for cyber attackers who are constantly seeking vulnerable data. Recent Gartner studies discovered that somewhere between 30 and 40% of IT spending in large enterprises goes towards shadow IT, while Everest Group puts it closer to 50%. The first step for digital risk managers is identifying these assets beyond the reach of policies and security controls. Next, shadow IT needs to be interrogated for vulnerabilities that can invite malware-enabling ransomware; however, given the perpetual addition of new assets outside of the security perimeter, continuous monitoring for new assets and vulnerabilities is critical.
ITSW Bureau: How can shadow IT add efficiencies to security strategies?
Todd Carroll: Despite its reputation, shadow IT can help enhance the productivity of employees. A shadow IT policy that allows its users to experiment with new innovative tools while mitigating shadow IT risks can act as a competitive advantage. Innovative IT teams know that collecting information about shadow IT can call out the software and applications that it needs to consider for investment. If embraced, understanding shadow IT can be an opportunity to accelerate evolution and innovation. Removing the demonization of shadow IT, gives an organization visibility to secure these assets and respond to new requirements in a more proactive manner.
Todd Carroll joined the CybelAngel in January 2019 as part of their expansion into US markets. Mr. Carroll retired from the FBI in December 2018 after spending over 20 years with the FBI, serving in the Cyber/Counterintelligence, Counterterrorism, and Intelligence Operations programs. He earned a Bachelor of Science in Law Enforcement Administration from Western Illinois University and a Master of Science in Cyber Security from University of Maryland, University College in 2012. He also graduated from Carnegie Mellon University CISO Academy in 2017.