Cloud apps are great for productivity, and they are easy to use, but you need to be aware of the security risks that come along with them. Welcome to the Cloud Generation. Here are five things to do to help protect your nonprofit.
Step 1: Do an Inventory on Cloud Apps
Any cloud service that processes or stores data for you, even a simple PDF converter on the web, counts as a cloud app. To know which cloud apps your employees use is a key first step for cloud security and compliance. Every organization underestimates the number of cloud apps that it uses.
A large organization should do full discovery with a Cloud Access Security Broker (CASB). Small organizations that lack the IT resources to use a CASB can survey their employees and volunteers to find out what apps they use.
Step 2: Avoid File-Sharing Mistakes
In the last Shadow Data Report, Symantec found that 29 percent of emails and attachments and 13 percent of all files that are stored in the cloud are broadly shared and at risk of leakage.
Here's a typical example. An employee creates a Microsoft Office 365, Google Drive, Box, or Dropbox account. Then the employee uploads a file with confidential data and shares that link with someone outside the organization who doesn't have an account with that file-sharing service. So the cloud service offers a link that will be accessible by anyone who has it. Then your employee sends that link to a partner or vendor or whoever they think needs the data.
Although this scenario may seem innocuous, that link is a public link and can be a security threat to your organization. The file access link can be discovered via a web crawler that searches for certain terms. Malicious outsiders do this often, in search of easy discovery about a company. It's important to train employees regularly not to leave files in the cloud for longer than absolutely necessary.
Be careful with files that contain confidential information. Organizations can implement some simple techniques such as to label any file that has confidential content with the words "confidential" or "private" in the file name. They can also use a "confidential" watermark in the file to make it obvious to anyone who uses it that it is confidential information.
Step 3: Identify High-Risk Employees
High-risk employees have many characteristics, some virtual and some physical. A high-risk employee uses the same password on all their accounts. A high-risk employee moves confidential data out of the organization's system and into personal email accounts to do work at home or while they travel. A high-risk employee doesn't lock their computer or mobile device with a password and leaves their device open when they walk away.
When they deal with high-risk employees, large organizations can use CASB technology to prevent data exposures, control access and sharing, and monitor high-risk actions. Even small organizations without dedicated IT resources can use the built-in security capabilities that come with cloud apps like Microsoft Office 365, Google G Suite, Box, and Dropbox. Make sure you also educate your users on what is low-risk versus high-risk behavior — organizations of any size can do this.
For your official cloud apps, make sure employees use accounts that are dedicated to the organization, rather than a mix of personal and professional accounts. Make it easy for your employees to maintain remote access. You want them to access private data in systems that you monitor rather than on their unmonitored personal accounts.
Finally, get an identity management solution and multifactor authentication. If you are a small organization, you can at least get all your people to use a password management program. You may already have this capability in your endpoint protection, but if you don't, there are inexpensive consumer products available for this.
Step 4: Beware of Bad Actors
Easily guessed logins or unsecured login data helps hackers and malware to access cloud apps to get access to confidential data. A disgruntled employee or volunteer may divulge sensitive data, download malware, send out confidential information, or delete data before they leave an organization.
What can you do about bad actors? You can protect your endpoints against malware, so that infection doesn't affect your user group or other systems. You can mandate strong passwords and automate quarterly changes. This alone can keep a malicious insider out of your accounts after they've gone to a competitor.
Take advantage of multifactor authentication everywhere that you can. And finally, make sure that there's a standard checklist when employees and volunteers in every role depart so that you turn off access and delete data.
Step 5: Stay Alert About Data Breaches
You see articles in the news every day about vendors of cloud apps who suffer breaches. If one of your organization's cloud services hits the news, it should send you an email or a notification about your data. This is especially true if your data may have been compromised.
If one of your cloud apps is breached, notify all employees to change all of their passwords for that app right away. Then look at what data your organization has in that cloud app and ask if it would be a problem if it were exposed.
If you have confidential data that is involved in one of these big breaches and it belongs to your clients, sponsors, or constituents, you may be required to notify them. Involve your legal or IT security team members in this discussion prior to notification and ask their advice.
After you've done this, you should evaluate whether you want to continue to use this cloud app. There may be a more secure cloud app that can perform the same function for you.
Cloud apps improve your workflow, reduce your spending, and make you a more efficient organization. However, it's important to be aware of the risks, get informed about your options in monitoring, and plan your responses.