As I've mentioned, my new company likes to use SaaS for many of its corporate applications. This tends to keep me up at night. The software-as-a-service market is still in its infancy when it comes to security and interoperability with other vendors' security implementations and technologies.
At issue: It would be dangerous to assume that all users are fully cognizant of the risks associated with using SaaS applications.
Action plan: Set up a security awareness training program, and make sure all new employees are exposed to the material.
What worries me are applications that contain sensitive corporate information. I'm not too concerned about HR using a SaaS application with a discount brokerage firm, and applications that employees use to access their flexible spending plans or to book travel don't really bother me. But when our finance team uses the cloud to calculate and maintain our quarterly earnings, I get nervous. I feel the same way when our sales team uses a SaaS application to register sales deals, maintain customer contacts and conduct negotiations. And I get downright apoplectic thinking about an online application for determining whether a merger or acquisition makes sense.
I have to wonder whether the people who use such applications are knowledgeable about the risks they create for our sensitive data. The reason I worry so much is that I know from experience that most people do not have adequate knowledge about simple security precautions. They opt for convenience, checking off the box that promises to remember their username and password. They use random, unsecured computers to log into SaaS applications, even, as I've noted before, doing it from an Internet kiosk in Moscow. And as if to demonstrate that they don't see that as particularly risky, they will walk away from that kiosk with the computer still logged into their account, or they will download an important document and leave it on the computer.
Clearly, I have a duty to educate these people. They need to be aware that such actions can lead to things like a compromise of a SaaS application's administrative portal, with the potential for disastrous consequences. I do not want to crack down after someone has gotten into our network and done things like adding or removing accounts, manipulating data or even deleting data.
That's why I've decided to make my information security training and awareness program a priority. The main goal is simple: to change employees' behaviour. If I can drill basic security awareness into each employee, I will reduce the risk that arises from employees doing stupid things.
Besides the things I mentioned above, the training will address common risks associated with mobile devices, social media, phishing scams, unpatched systems, Wi-Fi access and "shoulder surfing," as well as some more far-out topics. I might demonstrate for them how easy it is to install keystroke loggers and explain such seemingly esoteric risks as using a GPS-enabled phone to visit a social media site and post images that have location data embedded in them.
I also want infosec awareness guidelines to become part of the materials given to all new hires. And I'm doing ongoing education with things like an "infosec tip of the day" RSS feed, courtesy of the SANS Institute. I will fill in the gaps with some training visits to remote offices, brown-bag lunch sessions, posters and e-mail announcements of relevant security alerts.
A security-awareness training program has the potential to give you great results at a fairly low cost, but the best part might be that those visits to remote branches will get me out of the office. And we just opened a large branch in Australia!