As we move to an increasingly cloud-based world, IT solution providers need to shift their focus from providing technology to protecting business data, says Ian Trump.
The next few years of IT evolution are going to have a massive impact on society and the small and medium businesses (SMBs) that account for the majority of GDP in the G-20 countries. As internal and external IT providers move away from hardware and software-based services to cloud-based services, there is a need to manage risk based on the location, access and vulnerability of business data. As mobile platforms, hosted services and Internet of Things (IoT) devices become responsible for the creation, processing, analysis and dissemination of business data, the security of that data becomes more challenging. This provides an opportunity for cyber criminals to exploit.
The prosperity of SMBs is in jeopardy and the numbers are stark. According to Forbes, the cybersecurity market reached USD $75 billion in 2015, and is expected to reach USD $170 billion by 2020. A study by GMSA/AT Kearney found that the total value of the Internet is projected to grow from $3.5 trillion in 2015 to $5.8 trillion by 2020. Attacking this growth is a mature cybercrime-as-a-service (CaaS) model that provides tools and services across the entire spectrum of cyber criminality. Forbes again projects the costs of Cyber Crime to reach $2 Trillion by 2019, suggesting that 34% of the entire Internet value chain will land in the hands of criminals.
As Managed Service Providers (MSPs), IT providers and channel vendors we can’t let this happen. If we do, we risk allowing businesses to be put off going onto the Internet to try and make money. Unfortunately, there are two problems at a high-level impeding the ability to respond globally to the cybercrime problem. Firstly, some nations are more “tolerant” of cyber-criminal activity than others; there are some nations actually facilitating and supporting cybercrime. Secondly, countries look at cybercrime as a problem to be solved within national borders.
The reality is that the Internet is homogeneous and worldwide, allowing communication and attacker access from anywhere to anywhere. As an MSP or IT provider, you know only too well the dangers of exposing vulnerable systems to the Internet.
Australia suffered a very serious data breach recently, which was chronicled by Troy Hunt, the creator of the “haveibeenpwnd.com” website. In his blog, “The Red Cross Blood Service: Australia’s largest ever leak of personal data”, he discuses the way the website was compromised – not through malware, not through SQL injection but because of backup.
Hunt states: “The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen. There is no good reason to place database backups on a website, let alone a publicly facing one.”
However, it’s his second point that really caught my eye.
Hunt continues: “The final piece that made all this possible was having directory browsing enabled on the server. The database backup should never have been there in the first place, but it’s highly unlikely it would have been found without directory browsing enabled.”
Simplifying the narrative yields one indisputable fact: The database backup that contained a complete (unencrypted) set of 1.3 million records was put in the wrong place. A place that was easily accessible and unprotected by permissions. The location and accessibility of this sensitive data should have been flagged as a cyber risk to Australian Blood Services.
Solarwinds® MSP recently acquired software that enables users to scan, detect and analyze the exposure of data, and then to present a dollar value as an indicator of data breach risk. Here are some examples:
Using this “Data Breach Risk Scan”, an MSP or IT provider can identify the systems with the most risk and mitigate that risk by removing, moving or deleting the data – with the customer’s permission of course! If nothing can be done about the data – in other words it has to remain where it is – the MSP can prioritize the vulnerability management on that system to ensure the ability to exploit the system is reduced as much as possible.
IT providers and MSPs can provide data breach risk assessments through monthly scans, and by doing so demonstrate evidence of due diligence and continuous monitoring for the exposure of sensitive data. There are also other benefits for IT providers and MSPs that focus on the location, exposure and vulnerability of their customer data. In a few short months, IT providers and MSPs can determine if the customer is at risk and therefore requires additional security services. Based upon the data breach risk report, the service provider may consider increasing their price for a more risky customer.
As businesses move away from traditional workstation/server structures and embrace a myriad of different platforms and hosted services, the wise service providers will quickly realize it’s the data the business generates that is the life blood of the organisation, not the technology. As an IT provider or MSP safeguarding the customer data, no matter where it is located, is the number one priority. Using a monthly data breach risk scan is good for your customers’ business and ultimately good for yours.
Ian Trump is global security strategist for SolarWinds MSP. You can follow Ian on Twitter at @phat_hobbit