Fun fact: A stolen email address is worth $0.0005 to $0.01 on the black market and they are sold in batches of 1000.
Stolen account information has a price in the cybercriminal economy. But hackers only get a small fraction of a penny per compromised account, so they focus on targets with high user counts. Prominent SaaS services, especially services with millions of consumer users, are particularly rife with targets.
Those same service providers want to keep any breaches quiet – they don’t want to tip off any active hackers, and they don’t want to upset their customers. So customers might not be aware of a hack until weeks after detection or even years after the breach occurs.
Last week’s news puts file-sharing service, Dropbox, in the spotlight. It reports that in 2012, the company had 68 million passwords stolen after an employee reused a password, but only forced a reset of passwords now – four years after the fact.
Businesses using SaaS need to ask themselves how long they are willing to be kept in the dark when data has been stolen or accounts are compromised? I mean, how do you know if your files stored today are safe? Food for thought.
CISOs and security teams would clearly prefer to know right away in order to have the opportunity to manage damage control. Time is also of the essence near quarter’s end when disclosure is required for regulatory compliance.
So what’s a smart strategy for using the cloud in a secure way? How can organizations audit accesses, firewalls, and other threat detections anytime they want?
At CTERA, we recommend to our customers to:
- Deploy services on virtual private clouds or internal/on-prem systems, which are entirely within your firewall. This keeps your information away from the spotlight of highly visible SaaS targets, and minimizes the target value.
- Lock down system access to only allow users within their firewall, and limit administrative access to firewalls and applications only to known-loyal employees.
- Be sure to set rigorous policies around password strength and refresh rates.
- And don’t wait for an out-of-the-blue email from a service provider who has its back to the wall: keep monitoring on your terms.