Why you need to know all the cloud services that your organisation uses

by | May 29, 2021 | News, Security

If you don’t where it is, you can’t protect it.

Do you know where ALL your organisation’s data is – not physically, but on which web and cloud services?

Here’s the problem.  If you don’t where it is, then you can’t protect it. The secondary problem is finding out, because not everyone in your organisation will be onboard.  It is common for people to sign up to web services because they offer something useful that helps them do their job.

They sign up using their email address and creating a password.   There is the first headache – how does anyone track what has been signed up to across your organisation, let alone who has access to it? If that person leaves, no one will change the account credentials if they don’t know about it, but your ex-colleague still has access.

Secondly, what data do they upload?  Is that data that you have a legal or moral responsibility for?

 

There’s nothing noble about Nobelium.

This isn’t theory – it’s real.    USAID is a pretty important US organisation – promoting democracy and human rights around the world.  Turns out, someone there was using a well-known email database tool called Constant Contact.  But their account wasn’t well protected. Worse still, their account had a huge mailing set up, and of course, it had all the official USAID templates.

So, these Nobelium people, allegedly a Russian state-sponsored hacker group, compromised the Constant Contact account and sent a bulletin out.  The bulletin contained malware that allowed the hackers to take command and control over victims computers.  Ironically the fake email alleged interference in the US federal elections.

So, what can you do?

The first step is knowing what SaaS tools your people are using.  We call this SHADOW IT and it is inevitable.  Rather than stopping it, the job IT has is to identify it and manage it.  The second step is to secure those platforms.  That’s why our KARE for Security S2 plan contains a useful tool to help you identify what services your people are using.

Refer : What We Know About The Apparent Russian Hack Exploiting USAID : NPR

Security Training and Awareness offer

Security Training and Awareness offer

We are deploying some new tools for our KARE for Security clients. For a limited time we can share these with all our clients to give you and your colleagues some great e-security awareness training. The holiday season is targeted by scammers, they know that employees...

Helping you with Cyber Insurance Audit Forms

Helping you with Cyber Insurance Audit Forms

Cyber Security Audits are increasingly common. One cause is that we're seeing more boards ask about cyber security posture, and frankly every board needs to be asking about that. The other major prompt we see is when our clients are applying for cyber security...

Don’t be in the 67,500

Don’t be in the 67,500

It might be our nearest neighbour, rather than us, but its still a good indicator of the trends that we're also seeing in New Zealand. We have to remember that much cyber-crime is still not reported.  Whether it's out of embarrassment or commercial sensitivity, we...

Urgent – “Zero Day” exploit 9 Sept 2021

Urgent – “Zero Day” exploit 9 Sept 2021

Today's news is full of stories about increased cyber-threats in NZ - Cyber attacks against Kiwibank, ANZ, NZ Post, MetService - experts see lockdown link - NZ Herald We've seen several days of issues caused by these "DDOS" attacks.   Overnight, another...

Have you heard about “typosquatting”?

Have you heard about “typosquatting”?

"Typosquatting" is the name given to criminals pretending to be someone they aren't - taking a domain name that uses a clever combination of legitimate-looking original sender email addresses, with spoofed display sender addresses that contain the target usernames and...

Cyber-war Seminar

Cyber-war Seminar

Stories from the Cyber-war The simple reality is that cyber-crime is now a mega-business.  The cost and effort to combat it grows all the time. "Is it worth it?"  Good question.  Every organisation needs to choose a level of security and resulting cost, effort and...