Robert Herjavec, founder and CEO of the Herjavec Group and investor on “Shark Tank,” sat down with Mediaplanet to discuss how businesses should navigate security in the age of cloud computing.
What questions should businesses ask their Cloud Solution Provider?
For a long time, the cloud was a scary place that businesses were afraid of: a place that brought greater risk for your data and a new gateway for exploitation. However, the ease and accessibility of cloud quickly made it the popular choice, and actually, in some ways, the more secure choice.
Before knowing what to ask your Cloud Solution Provider (CSP), it’s important to understand the role your CSP plays. Typically, your CSP is the one that takes care of the physical security of its data centers, equipment, and cloud infrastructure, while you, the customer, are responsible for everything that runs through that cloud infrastructure.
There are a few questions you need to answer yourself that should frame your conversation on how your CSP can support you:
- How are we going to use this cloud solution?
- What infrastructure, software, or platform implications will it have for the business as a whole?
- What model will work for my business?
- What do I need to abide by in the cloud in terms of compliance? Does my industry or geographical location treat the cloud differently?
Finetuning the answers to these questions will drive your business decisions and align you with the best CSP that will fit your requirements.
What steps should every business take to secure its data on the cloud?
BYOC – bring your own controls. But let’s add another layer: Move at the speed of cloud. We are in the cloud era and security teams need to find ways to support this change by finding solutions that work with the cloud just as they have been doing for on-premise environments – it’s all about a shift in attitude.
The reality is that businesses have the responsibility to make sure that their data is secure in the cloud. The need for good security practices, no matter where it is housed, is important.
When an organization decides to move to the cloud, its security program needs to evolve with this change – specifically, the identity program, data protection program, and application security program must make strides forward. One of the biggest issues we’re seeing right now is that as businesses use and apply more applications in the cloud, they don’t adjust their security controls at the same pace.
Think about it – when you park your car, you automatically lock it. Why? To deter people from getting in. Now, if they really wanted to get in, they could. But why would you want to help them? Same goes with adjusting your security controls. You’ve got to deter cyberthreats. Security isn’t perfect, but you’ve got to do your part to prevent the breach.
Following an unwanted breach, what steps can businesses take to help mitigate the damage?
You don’t want to find yourself in this position without a well-thought-out Incident Response (IR) plan. It is important to prepare for the inevitable, because it’s not a matter of if you will be targeted, but when. If you talk to anyone at my company, Herjavec Group, they would agree that this should be a mandatory component of your security program.
No matter how secure you think your environment is, an IR plan with a hybrid response (cloud centric or on-premise response) is critical. The tools you use to respond and mitigate a breach will be different based on the environment. At the end of the day, it’s not on your CSP to mitigate the breach, but a business needs to work with it to see where the gaps are. Who got in and what did they get?
How has the threat of hackers evolved over the last year? What should businesses be on the lookout for?
Focus on your environment. Instead of looking at threats on a broad scale, businesses need to narrow down and focus on the threats relevant to them. You need to understand what type of attack you are most likely to be susceptible to given your operation, your specific vertical, etc., and understand how your “crown jewels,” the core information that will keep you in business, are protected.
To be proactive, you should perform a threat modeling exercise against a trusted industry framework like the MITRE ATT&CK framework. This helps you map your technology, controls, processes, and overall capabilities against the most likely points of attack in your space.
What are the commonalities between the types of businesses that are the victim of a cyberattack?
Cybersecurity is not set-it-and-forget-it, and organizations need to be reminded to take a step back and think about the fundamentals of building out a good security program that is consistently fine-tuned.
Those who are victim to cyberattacks often have poor cyber hygiene or a lapse in process.
Let’s take a look at vulnerability management, specifically identity and password management. Passwords are easy to compromise and unfortunately, it is a recurring theme. Identity breaches are growing in popularity. All you really need is a tidbit of information to gain access and compromise a network. Hackers do not discriminate between their targets; they are looking for organizations with weaknesses in their security environments.