Data security breaches have become a significant issue for companies large and small, and the problem stands to only grow as more devices and applications are being used inside and outside companies’ facilities to access corporate data, according to Microsoft executives speaking during a June 30 webinar.
“We are in turbulent times,” said Ann Johnson, VP of Microsoft’s Enterprise Cybersecurity Group. When one looks at the news, “you’ll see a breach every single day practically, where millions of customer records were lost — at least it feels that way,” she said.
Last year alone, 160 million customer records were compromised, and the estimated cost of each breach was more than $3 million to businesses, she said. But the “scariest thing” is that the people responsible for those breaches are “in your environment for over 200 days” before they are detected, she said, adding: “Can you imagine the impact on your household if someone broke in and had unfettered access for over 200 days? Can you imagine the damage they can do? Now think about someone being in your [IT] environment — in your data, in your systems for over 200 days.”
The problem has only grown as the IT environment changed in recent years, she said. In the past, there was a more “locked-down” environment in which there would be a computer on one’s desk with access to a company’s system and that access could be easily controlled, she said. There was a “hard perimeter,” along with firewalls, routers, antivirus controls, and “maybe you had strong authentication,” she said, adding: “It was a really controlled environment.”
But all that has changed now. “You have people bringing their own applications. You have people bringing their own data. You have people bringing their own devices. They’re traveling remotely. They’re using tablets. They’re using mobile devices. They’re everywhere – and all times of day and night,” she said. All of these factors have made controlling the IT data environment much more difficult, she said.
Companies must better secure the applications they are using because applications “will become the next big threat vector,” she predicted. “As we lock everything else down, we need to think more strongly about secure coding” for applications, as well as “rogue apps,” she said.
Security threats can “come in from anywhere” in the IT environment now, be it a device or an employee: wherever the weakest point is, she said, pointing out that the breaches can be done via phishing attacks and “social engineering,” among other methods. But “identity is still where over 60% of breaches start,” she said.
Security needs to be embedded in applications, but it must be done in such a way that it doesn’t prevent that application from functioning the way it’s supposed to, she said. It’s “really hard … to balance that” as an IT professional, she said.
But that balancing must be done because brand reputation is at stake when it comes to security breaches. “Nobody wants to be the next company in the news because you had a massive breach and lost a large amount of customer records, or you lost critical IP data out of your company, or worst yet, you lost something that could actually be a threat,” Johnson said.
Companies must, therefore, put a lot of controls in place to prevent breaches from happening, she said. But if a company suspects there’s been a breach, it’s important that it assume there has been one and quickly set out to “mitigate the damage,” she said.
Best practices for companies include making sure they have “visibility” into their assets, wherever those assets are, she said. Behavioral analysis is an important tool and companies must work with their cloud providers to best determine what security controls to put in place, she said. Companies must also manage whatever devices employees are using at work, she said, pointing out those devices may transfer malware to the company’s IT system.
Companies must also develop policies governing the use of the software as a service (SaaS) applications their employees are using at work, apply rights management to those applications that are approved, and then monitor the use of those applications, said Julia White, GM of Microsoft’s Cloud Platform Product Management.
The Microsoft Secure platform is designed to help companies put security controls in place to prevent breaches, White said. “We know people will not use technology if it’s not secure,” she said. When it comes to security, Microsoft is taking advantage of all its assets, including its Office and Azure cloud computing platforms that customers are using each day, she said.