A recent report showed that 1.5 billion business and consumer files are exposed online – four thousand times larger than the Panama Papers leak. This puts businesses and consumers at risk, and could have been mitigated by addressing poor cyber security policies – here are our thoughts:
The research clearly shows we’re still lacking when it comes to protecting our sensitive information. Although not as targeted as the Panama Papers, the amount of unprotected data freely available online is a serious worry for both businesses and consumers. Even worse, in a lot of cases, it is a simple security fix that would protect this data.
What’s truly worrying is the number of exposed storage platforms, such as Amazon S3 buckets. This could leave businesses very exposes to an attack, as cloud services may be indexed by search engines, making it easier for attackers to find.
Attacks resulting in data breaches are all too common now, particularly targeting cloud service platforms which are generally implemented with vendor default poor security controls. Bypassing these issues is very simple. It’s simply a matter of improving configurations to include more secure settings. Organisations have to prioritise ongoing automatic scanning and testing to determine if they are prone to such attacks.
The problem is worsened by third parties and contractors. They expose critical information online and this becomes an issue for businesses who may be spending a lot of money to ensure their systems are secure – only to find the data left exposed by somebody else.
We need to start thinking of cyber security policies are more than a box ticking exercise, as this approach is leaving us vulnerable. We need to implement stronger security policies and assessments to ensure we’re not exposing sensitive information online.
One way businesses can review their practices and policies is through Red Teaming, an approach developed by elite teams and military units to independently test the effectiveness of strategy, tactics and personnel.
A Red Teaming exercise simulates how hackers conduct cyber attacks, looking for vulnerabilities online, in third parties and physical premises. This is a multi-threaded assessment of your organisation, to defend against attacks on your networks, sites and applications, social engineering and physical defence. It is one of the most comprehensive tests of your cyber security policies and practices.
It’s time Australia picked up its game when it comes to protecting sensitive information and its data. Real-world adversaries aren’t waiting for the victim to have well-established security programs. They are going for the easy targets and often at scale, costing Australia upwards of $2 billion a year. Leaving data exposed online is just making their job easier and it’s time we started doing the simple things right.