One simple to correct bad practice makes it needlessly easy for hackers to bring organizations to their knees
Extortion and blackmail are about as old as humanity. What changes is the means by which they are carried out. As our ecosystem increasingly becomes more digital, so follows our threats. The last several years has seen the rise of ransomware, most typically characterized by extortion in the form of encrypting company information that is (sometimes) released upon payment. As Bleeping Computer reports, new tactics are evolving from extortion to blackmail. More than just kidnapping company information, attackers are now threatening to publicly post sensitive information. Surprising? Not really.
Email, and the vital attachments it carries, has vastly lowered the bar to information compromise by spreading company data everywhere.
These attacks exploit the digitization of our world. With information more fluid than ever, organizations have been able to gain unbelievable levels of productivity. However, the same fluidity of information has made control of that same information hard to contain. Indeed, as we posted recently, email, by itself, is probably the most pervasive agent of data sprawl generating an estimated 55,000 file duplicates per employee per year across a multitude of devices, inside and outside of the organization [1]. Email, and the vital attachments it carries, has vastly lowered the bar to information compromise by spreading company data everywhere. The area of this spread is what cybersecurity experts term, “threat surface”. We know that with email, the threat surface is massive, and for the vast majority of it, completely unchartered — in other words, no one has any idea where the data is. Furthermore, data in email is completely unprotected. If you get the email, you get everything inside of it.
Email embodies the perfect nightmare for information security — it is ubiquitously used, self replicates with viral efficiency, offers no protection for its contents and is untraceable, meaning, access to its contents leaves no audit trail given no authentication is required.
What if instead of trying to defend our data sprawl, we duplicated ten times less of it and put it somewhere safer?
It follows that to keep hackers from our data, we need to stop replicating content unnecessarily, better protect it and require traceable authentication to access it. An easy to use technology that matches these criteria already exists, namely, cloud content storage (e.g. Box, Egnyte, GoogleDrive, Microsoft OneDrive, etc.). Files shared as cloud storage links are encrypted, require strong authentication and provide detailed access logs (date, time, user, IP address, etc.). When comparing file sharing via cloud storage links versus email attachments, the difference is huge. Not only does cloud storage offer file protection, it also reduces the data sprawl, or the number of files, by a factor of 10 [1]! Furthermore, with cloud storage, all files points back to a single system, allowing the company to better defend a single silo. With email, every system and end user device that receives email becomes a silo that needs to be defended.
An organization that has adopted the sending of files with secure cloud storage links is a far harder target. Imagine the frustration of hackers when they can no longer find files in the email system or user devices. Instead, they only find messages with secure cloud storage links — each protected by advanced cloud storage security policies.It is important to note that the organization that uses cloud storage links protects not only file exchanges through internal emails but also all emails sent externally. In other words, no need to trust the security of your partners.
Email’s antiquated 1970s era design, coupled with its widespread use, is greatly facilitating our vulnerability to external threats. Email is a vital medium that can continue to be used with much greater safety once we adopt the modern file sharing technologies of today. User training to get users to adopt file links or technologies like, mxHero, that automate the adoption, radically change the security landscape. After all, there can be no exposure if there is nothing to expose.
No email attachments.
Original posted on Medium