Data Privacy Day: How Working From Home & Off The Cloud Impacts Cybersecurity
In case you were not already aware, Thursday January 28th, 2021 is Data Privacy Day. With the world being connected through clouds more than ever, Data Privacy Day is meant to serve as a reminder of how we all need to be more aware of our technologies and how they ultimately impact our privacy.
Here at Soda PDF, we are celebrating the day by educating ourselves on all things related to cybersecurity. And there is no better person to educate us on the severity of these online threats and how to protect our information than LinkedIn Top Voice of 2020 and cybersecurity expert, Alexandre Blanc.
Mr. Blanc has been working as a cybersecurity expert for over a decade now and he has seen his fair share of companies who either mishandle or need to step up their cybersecurity best practices. From swatting off ransomware attacks to preventing devastating data hacks and everything in between, Alexandre Blanc is the man who wants to save the world by keeping your data private and secure.
Without further ado, we recently met with Alexandre Blanc to get a further understanding of how data hacks happen, what we can do to stop them, and how we can learn to follow best practices and do our part in ensuring online safety for all.
Q: What is the biggest threat facing companies these days when it comes to cybersecurity?
AB: That’s an easy one! Ransomware and related data exfiltration.
Nowadays, you see it everywhere on the news, companies and organizations getting hit by ransomware. What happens with ransomware is, before encrypting your whole (data), they steal everything. The second threat is that not only do you have to pay to decrypt, but if you don’t pay to decrypt, they are also going to release the data (to the public).
Also, these are criminals. They will distribute the data anyways, so you should never pay—you should have proper backups.
In regards to defending an organization nowadays, it’s very complex because cyber security basic principles that have been around for decades, but yet to be applied, like list privileges and access control, they are not deployed in SMB’s. Most businesses don’t.
People don’t realize that most hacks happens from very basic exploits, usually involving human weaknesses abuses.
It’s enough for an attacker to find 1 single hole in your defense, to compromise the whole organization. While for defenders, which are called ‘blue team’, they have to control the inventory of everything, every single point of the attack surface, and audit it continuously, with millions of attacks every second. So, it’s a huge challenge.
Enhancing the cyber security culture and mitigating impacts with compensation measures is, so far, the only way you can limit damages, but it will also have to include the early detection of threats.
Right now on the market, the average discovery time for an organization that has been compromised is many months. So, criminals are in the organization for a long time before they get caught. So, that’s a huge thing.
Q: How has working from home shifted the cybersecurity landscape?
AB: As I said, the perimeters are gone. Basically, before (COVID-19) everyone was at a workstation within a company—this is the physical access control—no one can get in without passing through reception. It’s not “open to the public” and the network there has protection.
At home, there is no reliable firewall. There is no security protection or physical access control. The device management and access audit do not exist as well unless you have management solutions or mobile management solutions.
At home there is no network policy, no more perimeter because people work out of corporate networks. The assets, instead of standing in a protected and secured environment as I’ve said, are connected directly in a corrupted environment
What most people don’t know is that most home networks and private PCs are infected (or hacked). They host malware, they just don’t know it because they never catch it.
So this means that most security controls that were relevant before, are irrelevant today! (Laughs) We must shift to service and access-based approach involving continuous diagnosis and mitigation over the data access, rather than access to a network. So that’s is the shift that is caused by remote work.
Q: Is working from home causing more threats to businesses?
AB: Remote work is clearly changing the attack surface of the organization.
Actually, the growth of the threat with private and personal device did start with the B.Y.O.D., or “Bring Your Own Device”. As soon as people started to configure their professional emails on their private phone, the control is lost because emails carry data, so that’s one thing.
But in the case of shift to remote work, you lose control over who can access and lose control over the audit. This shifts the requirements and the toolset needed to achieve that task. And again, this must be compensated with people training and policies reminders set by the company and their contracts with employees.
When you start at a company, you sign all of these papers (…) but we barely get a reminder. Do you remember, after one year at a company, what you signed and what you should do and shouldn’t do? (Laughs) No, we don’t!
As a security professional, I know the best practices and I am going to stick to them, but most people don’t remember, because it’s not their job. As human beings, we need constant reminders about the evolution of the threat landscape, how (criminals) are trying to steal, and what you shall and shall not do with the company’s assets, data, and information.
Q: What can businesses and employees do to stay safe?
AB: The good part is that we can learn from what we got through. We can train staff, keep them informed about threats, and implement security controls accordingly, because even if the environment changed, we can still have security controls in place, just the implementation is quite different.
It’s not about throwing millions of dollars in security appliance, it’s about embracing security culture, and a security architecture. It’s more about adjusting than bolting on (…) anti-malware and other technology like that. We need a security culture and to teach people how to behave with this new norm.
Q: What actions can employees take now to help their organization?
AB: There’s a saying in surfing, “When in doubt, don’t go out.”
So that’s the same when it comes to company data. If you’re in doubt, don’t do it. Ask your IT department, ask your manager. If you have any doubt and you’re unsure, you should have due care which is one of the concepts people should be trained to have. Security professionals has been trained in this, but not regular employees.
Due care is about taking all of the decision to protect the organization that you serve. So we should all be trained to be people that practice due care and safeguard as much as we can.
Yes, we should all be a little paranoid! (Laughs) After all, you are paid by this organization, so this is our income. It’s how we feed ourselves and our families. So it should be our duty to protect what feeds us, in a way.
Q: For those of us who are unaware, what is an IoT and why should we all be concerned with these platforms?
AB: That’s a hot one! (Laughs) IoT, Internet of things, is basically everything that you connect to your network, that is not designed to run a software with GUI or direct console, is IoT.
There is a saying I like which is that the “S” in IoT stands for security. (Laughs) Obviously, there is no S so that’s my point…
The US just passed the “IoT Cybersecurity Improvement Act of 2020” that defines a baseline for manufacturers to provide security by design in their assets, which was not something that existed before.
So, from now on, at least from the American market, if you want to sell a connected device, you will have a security solution to come with your device.
From a practical standpoint, each of these devices that you connect on your network, will send your data and network passwords, to the provider. There is no limit and you cannot see or control what they do. They can be hacked, used as backdoors, and they can hijack your network traffic as well.
They used to go into your confidential information and to spy on you. That’s a reality. We know when people press on the Mute button on a smart speaker, they assume it’s going to be mute. But, you have no idea if it’s just turning on and off a LED, but the device is still running.
IoT are the end of privacy. Smartphones and cloud started this, IoT are the final massive bugs deployment, for which people even pay for ! That’s funny. Privacy is dead for IoT users.
Actually, it’s not funny….
Q: The internet has been instrumental in keeping us connected for so many years. It sounds like we’re almost too connected these days. Why is this a bad thing and how does this impact cybersecurity?
AB: So, with the 5G starting, and 6G coming, this trend is not about to stop when it comes to connected.
At the same time it’s magical and convenient, especially during the pandemic, but also, it’s a growing, uncontrolled attack surface. Every connected thing can be hacked, so the more control you give to connected things, the more exposed you are.
At some point, when key parts of your life rely only on connected items, it means that your life is owned by whoever controls these assets. Big cloud providers, and criminals hackers are the one controlling these, and therefore, you too.
It’s like for everything in life, moderation is usually a good thing. I don’t think that connecting everything, just because we can, is a good idea.
Q: You often state that “Connected=Hacked”. For those who aren’t aware of this saying, could you explain your reasoning for this statement?
AB: Proven true every day! This is why I share (these types of stories) on LinkedIn every day. I want to show that this is a reality that we’re currently facing. It’s what we live with, and what we need to adjust to. It’s simple, if you connect anything to another system, you open it as a threat as it enters the attack surface. It becomes exposed. As soon as you connect it, (the device) is exposed.
Connecting involve communication, and communication is a two-way channel. Basically, you send information and you receive information. Because everything is designed to respond to queries or sent queries, with time, vulnerabilities are identified, allowing to exploit the system for a purpose it was not designed for.
Because, what is hacking? Hacking is taking something that was designed for a function and using it for something else that people didn’t think about.
So, as we connect devices under our control, we decide to expose them to other connected systems that we expect will play by the rules, but a lot of them won’t!
So why Connected=Hacked is because with time, and that time is getting shorter everyday, when you connect something, it will be abused. With everything that is out there on the internet right now, it won’t take very long.
Life hacks makes your life easier, which is all about the intent. I don’t like when people call hackers the same as criminals. Hackers explore the technology and see what they can do with it. Criminals take safety with bad intent and the intent is what makes the difference between a criminal and an alleged hacker.
Q: About a decade ago, cloud storage services were all the rage. Today, these same cloud storage services seem to be what is causing cybersecurity frustration. Why is that?
AB: My favorite topic—open, leaky buckets! (Laughs)
It is a matter of value. The biggest value, the more targeted it will be. Cloud took over everything, and people rushed in it without understanding the concept very well.
We did switch from a need, to a trend. When there is a need, you craft the system for the need, when it becomes a trend, people ignore the specs and don’t practice due diligence and due care. They assume everything is fine by default. Like it was on prem, in a restricted perimeter.
When you had unsecured storage on your local infrastructure, it was mostly only exposed to your local systems. So the likelihood of an abuse was pretty low.
In the cloud, connected 24/7 and exposed to the whole internet, it’s not the same story, the whole world is taking their chance on your account. Basically, when the best practices are not applied, the impact is much bigger than it was in a restricted perimeter. It’s just straight online.
Q: With online rules & regulations seemingly changing by the day, how do you stay up to date with the latest cybersecurity trends?
AB: A lot of reading and subscription to official channels (CISA etc), security and newsletters, training on a regular basis to stay up to date and relevant.
On the threat landscape monitoring, a lot of OSINT (Open Source Intelligence), news reading, and exchange with peers, RSS feeds.
Q: What are some offline solutions for when connected companies need to protect their data off the cloud?
AB: Yes, they exist! (Laughs) Private cloud, archives, colocation, these solutions exists.
They don’t even have to manage a physical infrastructure if they don’t want to, there are a lot of dedicated infrastructures, providing the same flexibility as the public cloud, that allow proper management.
As in cloud, it’s the duty of the customers to have proper backups, and replicate the infrastructure across multiple locations (called availability zones in cloud etc.).
In any case, organization should make sure they implement encryption in transit and at rest. But, they can have their own stack. They don’t need to buy a pile of servers, they can rent them. So long as this is dedicated to them and it’s controlled down to the (…) layers.
If someone replicates or pulls out the drive, they don’t see it. If you have a stack, you’ll be able to see it.
Q: How can companies, especially those that deal with sensitive information, curb this increase in cyber attacks?
AB: It’s not that complicated. Applying cybersecurity best practices is already a huge step. Getting support from specialists to apply these best practices. It’s about reducing the attack surface, compensating the risk, and auditing everything. It’s also about detection and response. If we want to cut the curve.
Segmentation, and governance are also helping a lot, as mentioned earlier.
Companies dealing with sensitive information are forced by laws and regulation to have proper governance, governance will require full inventory and data classification.
Data classification will allow to segment operation per type, and therefore, place security controls at the right place. The more sensitive the data is, the stronger the controls should be.
Data privacy, and the fight against cyberattacks, will never change. In fact, cyberattacks will only increase from here on out.
Be sure to protect yourselves and your company from these potential cyberattacks by adhering to what cybersecurity experts like Alexandre Blanc recommend.
Furthermore, if you’re looking for a way to safely secure your documents and any sensitive information found within, be sure to try Soda PDF’s Secure tools.
Why Soda PDF?
Soda PDF is a PDF software solution that’s packed with the powerful tools you need to add layers of security to your documents. Password protect files, secure permission levels within your PDFs, sanitize your documents, and remove metadata in just a few clicks!
Get a taste for Soda PDF today with a free download of our Desktop application, or try our Online software from any device that has internet access. Celebrate Data Privacy Day by protecting your documents with our easy-to-use PDF tools.