Cybersecurity professionals know all too well that crises tend to breed new threats to organizational security. The current COVID-19 pandemic is evidence of this. Health agencies are being attacked, massive phishing operations are underway, and security flaws in leading communications platforms are coming to light. Even on an individual basis, people are more susceptible to scams, fraud and manipulation in times of fear. From January 1 until today, the US Federal Trade Commission has received over 124,140 fraud and ID theft reports related to COVID-19, with people reporting losses upwards of $80.3 million dollars.
A recent PwC report found that a staggering 96% of executives are shifting their cybersecurity strategies due to COVID-19. While the majority of these changes are likely long overdue, the transition to the cloud isn't a simple "lift and shift" of servers from on-premises to the cloud, but rather a complete rearchitecting of how applications are built, shipped and secured. But as organizations race to up-level their hybrid/multi-cloud strategies, many cybersecurity executives are hitting roadblocks that are preventing them from properly securing their cloud infrastructure. What is causing the delay? Most organizations' approach to cloud security is deeply flawed, as I'll explain below. At best, the dominant approaches to cloud security result in wasteful spending and slow teams down.
IT companies are the driving force behind investments in cloud security, according to a recent survey by Netwrix Corp., a provider of a visibility platform for user behavior analysis and risk mitigation in hybrid IT environments. The company in November 2017 surveyed 853 worldwide organizations that are public or hybrid cloud users, and found that 80 percent of technology and IT businesses get support from top management for cloud security initiatives. That's more than any other industry surveyed. The survey revealed cloud security trends within particular industries. For example, malware is the most feared security threat by healthcare organizations (61 percent) and government entities (60 percent), though it is the number two concern for all industries surveyed.
This full spectrum includes phishing, application, device and network threats. Each of these four threat vectors have three components of risk: internal or external threats, mobile app vulnerabilities and user behavior, which includes changes to device configurations such as rooting or jailbreaking. For example, an organization may build a custom business app and deploy it to all employees while not realizing the app leaks data because it uses insecure data storage or transmission practices. In this case, mobile security would detect configuration vulnerabilities that could lead to data leakage. In fact, mobile security can detect these vulnerabilities before the app gets distributed to users.
Developer security champions are members of the development team that can translate application security into a language that the rest of the developers can understand. These champions embed application security knowledge where it's needed most: with the dev team. Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy. Earlier this week, I spoke with the members of Forrester's Security & Risk Council about developer security champions programs. We discussed the key steps to building a successful program, a couple of council members shared their own experiences with creating developer security champions programs, and we engaged in a group exercise with breakout sessions (a technological and organizational ballet when you're doing all this virtually).