Through an arrangement with TechSoup, PND is pleased to offer a series of articles about the effective use of technology by nonprofits.
Are cloud apps creating a security risk for your organization? What can you do to protect yourself against a high-risk employee or volunteer? What should you do to protect yourself against malware? How do you protect your assets if a cloud service is compromised?
Cloud apps are great for productivity, and they're easy to use, but you need to be aware of the security risks that come along with them.
Security for cloud apps is a shared responsibility. Your cloud app provider will secure its application and infrastructure against attack, but it is not responsible for what your users do within your accounts in these apps. It's up to you to establish security controls with respect to your cloud apps as well as educating your users about safety in the cloud.
Welcome to the Cloud Generation. Here are five things you can do to help protect your nonprofit:
Step 1: Do an audit. Find out what cloud apps are being used by members of your organization. If you're not aware an app is being used, then it's "Shadow IT." In this case, Shadow IT would be cloud apps used by employees or volunteers without the knowledge of your IT people. Knowing which cloud apps your employees are using is a key first step for cloud security and compliance.
Every organization underestimates the number of cloud apps they are using. A large organization should do a full inventory using a Cloud Access Security Broker (CASB). On average, a typical enterprise organization will find that they are using more than twelve hundred cloud applications.
Small organizations that don't have IT resources to use a CASB can start by surveying their employees and volunteers to find out what apps they use. And remember, any cloud service that processes or stores data for you, even a simple PDF converter on the Web, counts as a cloud app.
Step 2: Avoid file-sharing mistakes. In our last Shadow Data Report, Symantec found that 29 percent of emails and attachments and 13 percent of all files stored in the cloud are broadly shared and at risk of leakage.
Here's a typical example. An employee creates a Microsoft Office 365, Google Drive, Box, or Dropbox account. Then the employee uploads a file with confidential data and shares that link with someone outside the organization who doesn't have an account with that file-sharing service. So the cloud service helpfully offers a link that can be accessed by anyone.
Your employee then sends the link to a partner or vendor or whomever they think needs it. Although this may seem innocuous enough, the link is public and can be a security threat to your organization. For example, it can be discovered via a web crawler that is searching for a certain list of terms. Hackers looking for confidential "low-hanging" company information often will do this. It's important to remind employees about the danger posed by leaving files in the cloud for longer than is absolutely necessary. You want them to close the loop between file drop-off and file pickup by an outside party.
Be careful, as well, with files that contain confidential information. Large organizations should implement a CASB with data loss prevention (DLP) to automatically identify confidential files and apply security controls to protect them.
Small organizations may not be able to use a CASB. You can, however, do simple things like clearly labeling any file with confidential content by including "confidential" or "private" in the file name. You can also apply a "confidential" watermark to the file to make it obvious to anyone using it that they're handling confidential information. Nothing is too obvious when it comes to labeling data files for security.
Lastly, every organization should offer training to its employees and volunteers on a regular basis about what to do and what not to do when handling confidential content (e.g., don't share confidential files using a public link).
Step 3: Identify high-risk employees. High-risk employees share many of the same characteristics, some virtual and some physical. A high-risk employee uses the same password on all her accounts. A high-risk employee moves confidential data out of the organization's system and into personal email accounts to do work at home or while she is traveling. A high-risk employee doesn't password-lock her computer or mobile device and leaves her device open and unattended with regularity.
When dealing with high-risk employees, large organizations can use CASB technology to prevent data exposures, control access and sharing, and monitor high-risk activities. And small organizations without dedicated IT resources can use the built-in security capabilities that come with cloud apps such as Microsoft Office 365, Google G Suite, Box, or Dropbox. Make sure you also educate your users as to what is low-risk versus high-risk behavior; organizations of any size can do this.
For your official cloud apps, make sure your employees are using accounts dedicated to the organization, rather than a mix of personal and professional accounts. And don't make it difficult for employees to maintain remote access; you want them accessing private data in the cloud systems you are monitoring rather than on their unmonitored personal accounts.
Finally, get an identity management solution and multifactor authentication. If you're a small organization, you should at least get all your people using a password management program. You may already have this capability in your endpoint protection, but if you don't, there are very inexpensive consumer options that will do this.
Step 4: Beware of bad actors. Easily-guessed logins or unsecured login data make it easier for hackers and malware apps to get access to confidential data. Then, too, a disgruntled employee or volunteer may divulge sensitive data, download malware, send out confidential information, and/or delete data prior to leaving an organization.
What can you do about bad actors? For starters, protect your endpoints against malware so that an infection doesn't affect your user groups or other systems. You can also mandate strong passwords and automate quarterly changes to passwords. (This will go a long ways to preventing disgruntled former employees from logging back in to your accounts after they've moved on.)
Take advantage of multifactor authentication wherever possible. A good CASB will detect malicious user activity in a cloud app. And finally, make sure you develop a standard checklist of things that need to be done to turn off access and delete data for exiting employees and volunteers.
Step 5: Stay alert about data breaches. We see headlines every day about cloud apps vendors being breached. If one of your organization's cloud services hits the news, it should send you an email or a notification about your data — especially if your data has been compromised.
If one of your cloud apps is breached, notify all employees to change all their passwords for that app immediately. Then take a look at the data your organization has in the app and determine whether it's a serious problem if it was exposed.
If you have confidential data involved in one of these big breaches and it belongs to your clients, sponsors, or constituents, you may be required to notify them. (Involve your legal or IT security team members in this conversation prior to notification and be sure to solicit their expert advice.)
Last but not least, you should assess whether you want to continue using the app; there may be a more secure cloud app out there that can perform the same function. Organizations with a CASB can easily do a security comparison on similar cloud apps to help guide their decision.
Most of the time, cloud apps improve organizational workflows, reduce expenses, and in general improve an organization's efficiency. It's important, however, to be aware of the risks that come with cloud app use, so get informed about your options and plan your next steps accordingly.
Deena Thomchick is senior director of cloud security at Symantec.