Armanino Blog

Cybersecurity: Need to Re-Examine Defenses

December 14, 2015

As companies use the cloud to transform their operations, they face a new breed of cybersecurity threats.  To protect themselves and their clients in an increasingly interconnected world, business leaders need to rethink their digital lines of defense.

“The cloud is going to improve our business if we adopt it…but on the flip side, we have to be able to maintain control and manage our information,” said cybersecurity consultant and former White House internet security advisor Rand Morimoto, speaking at the recent Armanino EVOLUTION client conference.

Companies are choosing cloud-based applications because they’re a flexible, highly scalable way to add operational efficiencies and real-time analytics. Research firm Gartner Inc. predicts that by 2020, 60% of business users will be running cloud-based office systems such as Microsoft Office 365.

Why digital risks are growing
As the world has gotten more interconnected and workforces have gotten more mobile—thanks in part to the cloud—client data and other critical information has become more vulnerable.  Security strategies that were effective 10 years ago, when most information was kept in on-premises data centers, don’t suffice in an era when employees use their smartphones to share documents stored in the cloud.  “That firewall is not good enough anymore,” said Morimoto.

In many cases, employees are putting their companies at risk because they fail to follow basic security practices. For example, people often use the same login and password for their corporate and personal accounts, which means that if their Facebook or LinkedIn account is hacked, the criminals can use the stolen login information to breach the corporate firewall.

Such unsafe behavior is alarmingly common. Morimoto conducted a research study that involved offering free Wi-Fi access to passersby at San Francisco’s SFO airport.  When participants were asked to provide a password to access this non-secure Wi-Fi network, 83% gave their corporate login information. When told that they had to use another set of login credentials, 94% provided login information for personal accounts.  

Digital risk has also increased as cybercriminals have become more sophisticated.  Whereas hackers were mostly individual amateurs 15 years ago, today many are part of organized crime rings, which see cybercrime as a lucrative, less dangerous alternative to traditional crimes. 

This new breed of professional cybercriminals targets small businesses as well as large enterprises, so any company with inadequate security puts itself and its clients at risk. In 2014, for example, hackers infiltrated Home Depot’s firewall—accessing 56 million customer credit card accounts and 53 million customer email addresses—after first stealing a password from one of the retail giant’s small HVAC vendors. In 2013, Target was the victim of a similar crime after hackers got into the company’s systems via a refrigeration contractor’s electronic billing account. 

How companies can defend themselves
Despite the alarming headlines, organizations can take steps to protect themselves.  Morimoto recommends that companies focus on controlling their user identities and their data, rather than trying to control laptops or other devices.

First, said Morimoto, companies should implement “single sign-on” so employees have only one set of login credentials for all their corporate applications. This way, if employees leave the company, it is easy to terminate their access to all the corporate systems. The single sign-on should include any of the company’s cloud-based applications, such as Dropbox and Salesforce, so IT departments also need to catalog these kinds of outside accounts. 

Second, organizations should identify and encrypt their most critical information, so employees need a password to access it. Companies can determine what they should encrypt, and what priority this encryption should take, using three simple categories:

  • Data they must protect (to comply with strict regulations such as HIPAA or Sarbanes Oxley) 
  • Data they should protect (to comply with less stringent customer and employee privacy laws, such as the California Security Breach Information Act)
  • Data they would like to protect (intellectual property and other key business information)

The data encryption should be tied to the company’s active directory, so when employees leave the firm, their user accounts are terminated, and they lose all access. To keep critical information safe even if employees fail to encrypt it, companies should also implement “encryption in transit,” which automatically identifies and encrypts sensitive data as it is being emailed.

As people, devices and information become increasingly interconnected, these strong security processes will help organizations reduce their risk and limit their damage if they are hacked.  “The world of the cloud is big, and there’s a lot going on,” said Morimoto. “But we can control it.”

December 14, 2015

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Sage Transform VIP Experience
Live Event
VIP luncheon for top finance executives attending Sage Intacct 2022.

October 12, 2022 | 09:30 AM - 10:45 AM PT
Women in Life Sciences: Women’s Health & Wellness
Spill the Tea With Delphine O’Rourke on the State of Women’s Health

October 11, 2022 | 02:00 PM - 03:30 PM PT
ASC 842: Lessons Learned From Early Adopters
Get the scoop from early adopters who have implemented ASC 842.

October 6, 2022 | 09:00 AM - 10:00 AM PT