According to the recent X-Force Threat Intelligence Index 2020, more than 8.5 billion records were exposed due to breaches in 2019, of which 86 percent were due to misconfigured assets. These issues affected only half of the records breached in 2018, and as the 2017 report stated, 70 percent of the 2.9 billion records lost that year were due to misconfigurations.

These statistics paint a picture of what inadvertent insider threats can look like. While we may imagine inadvertent insiders as careless people clicking on dodgy emails, this image needs to be updated to include a wider variety of poor security hygiene behaviors. Arguably, the greater source of security incidents in our environments is people creating cloud servers that are set with dangerously unrestricted permissions.

Unmonitored Additions Increase Inadvertent Insider Risk

How safe would you feel driving a well-engineered car full of innovative safety features that has been regularly tested to do well in crash scenarios? Would you feel differently if the car was engineered on the fly with no tests to verify whether legally mandated safety features are actually being used properly?

In the case of misconfigured servers and other digital assets, it’s as if everyone on the manufacturing floor were adding unexpected parts to the final automotive product and just hoping for the best. Since there is no monitoring of the process, there’s no telling what effect one part will have on the others or how the final product might endanger the life of the driver.

In an environment where people routinely implement shadow IT options, including entire databases full of sensitive customer information, there is no way to verify that our environments are truly secure. As more and more industries are made to comply with regulations that mandate the use of “reasonable” security practices, companies could accrue huge fines if they experience breaches due to misconfigured assets.

In a previous article, I argued that we needed more than security awareness to improve our security posture against the risk of insider threats. The increase in breaches due to misconfigured servers is further proof that security experts need to learn new ways to address inadvertent insider threats.

Expectations Versus Reality

According to last year’s “Cloud Adoption and Risk Report” from McAfee, most organizations surveyed believed that only 30 cloud services were in use in their environment. However, the report found that the average organization actually uses closer to 1,900 unique cloud services, and that 20 percent of all files stored in the cloud contain sensitive data — an amount that has increased by 53 percent year-over-year.

For a security practitioner, these statistics naturally bring up a few questions: What services are being used? Who is using them? Who creates or maintains these servers? What purpose do they serve, and could they be replicated in a safer environment? Presumably, these are not assets that are being created with the blessing and supervision of IT or security departments.

The best way for you to answer these questions within your environment is to have an ongoing dialogue with people in your organization. The people who use your network are its eyes and ears, and it’s critical that they feel comfortable telling you what products and services are being used, especially those which involve sensitive data.

However, communication is only the beginning. There are other steps you can and should take to identify and remediate insider threats.

Implement Traffic Monitoring and Blocking

While open lines of communication with your employees can bring a variety of important benefits, you should also be checking network traffic to determine whether cloud services are being used often within your organization. Getting a sense of what kinds of traffic are normal for your environment can help you see when things have gone amiss, whether because people are creating unapproved cloud services or because a criminal is exfiltrating data from your network.

Plenty of businesses block staff from accessing popular cloud services at the gateway, but be wary that if you do this without discussing it with your employees first, you’re liable to drive shadow IT further underground rather than bring it to light.

Create an Acceptable Use Policy for Cloud Services

If you already have a serious shadow IT problem, taking time to develop an acceptable use policy that covers cloud services might feel a bit like shoving toothpaste back into the tube. Still, it’s better to be late rolling out thorough policies than never to have them at all. You must have rules in place to clarify the steps that should be taken before a cloud-based asset can be added. This will help to ensure that such devices and services can be monitored and assessed in line with the appropriate predefined security settings.

Make sure these policies include a list of positive actions employees can take in addition to a list of prohibited actions. If you do establish disciplinary consequences for failing to adhere to policies, you must do so in a way that does not make people too afraid to report mistakes or accidents.

Include Cloud Services in Your Risk Assessments

As you identify cloud services in your environment, your next step should be to give them a thorough inspection. Whether you’re simply checking that the services are using the best available security settings or migrating them to an approved platform, you must implement processes that make sure they’re still secure as time goes on.

If you’re not already doing ongoing risk assessments, now is a good time to start. Include any cloud services you identify so they can be included in future assessments. It can be tempting to assume that cloud service providers will take care of security measures, but they can’t reasonably be expected to keep us from shooting ourselves in the foot if we make changes that decrease our own security.

Some cloud service providers are trying to do exactly that by providing scanning for misconfigured services, but it’s likely that someone could click through these warnings without fully understanding them, leaving critical data in danger.

Cloud services provide a new way for inadvertent insiders to create holes in our defenses. If poor communication between security staff and the rest of the organization allows shadow IT options to proliferate unchecked, we will be making our own jobs harder. Tools and technology can do a lot to help us see what’s going on in our environment, but listening to the people we work with and communicating why we do what we do are equally important in making our companies’ assets secure.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…