October is Cybersecurity Awareness Month, and it’s clear that the need for robust cybersecurity has never been more pressing. Cyberattacks have grown more sophisticated, with phishing and ransomware tactics reaching new levels of intricacy. Attackers are using advanced techniques, such as leveraging AI and machine learning, to craft more convincing phishing schemes and automate their attacks.
Additionally, the rise of remote work (including 3rd party remote access such as hired developers being able to take data and introduce vulnerabilities in configuration or code) and the growing reliance on Software-as-a-Service (SaaS) platforms like Salesforce have expanded the attack surface, providing cybercriminals with more opportunities to exploit vulnerabilities.
Although malicious threats get the headlines, non-malicious threats remain the most common cause of IT security incidents. Gartner reports that 80% of cloud data security incidents are due to misconfiguration, while Ponemon's 2023 Cost of Insider Threats Global Report found that 60% of IT security incidents are caused by insiders, and 75% of these are not malicious.
Unfortunately, many organizations don’t realize they’re misconfiguring or oversharing their SaaS platforms, and they have a significant gap between the InfoSec team and their CoE, which we refer to as the SaaS ↔ InfoSec Divide. Many Salesforce professionals are not data security experts and don’t know how to deal with cyberattacks and insider threats that have been well-documented for some time now. Few InfoSec experts fully understand the intricacies of Salesforce, such as how data can be shared or accessed, and they don’t know what “bad” looks like.
In this environment, the challenge isn't just about protecting data against increasing risks and evolving threats but being able to recover when they do. A PwC survey found that "only 2% of executives say their company has implemented cyber resilience actions across their organization in all areas surveyed.”
What Regulators Are Saying About Cybersecurity
It's not only organizations that are noticing an uptick in cyber threats, but regulators as well. In 2024 and beyond, navigating the maze of regulations will be as critical an aspect of cybersecurity as any. There are several key regulations shaping cybersecurity strategies across industries:
- Section 404 of the Sarbanes-Oxley Act (SOX) requires public companies to establish and maintain adequate internal controls over financial reporting (ICFR). While the focus is on financial controls, cybersecurity controls such as access controls and data encryption are integral to ensuring the accuracy and reliability of financial information.
- Item 1.05 of Form 8-K, adopted by the SEC in 2023, generally requires public companies to disclose material cybersecurity incidents within four days of determining that the incident is material. Such disclosure must contain the nature, scope, and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition, and its results of operations.
- Europe recently enacted the Digital Operational Resilience Act (DORA) to reduce cybersecurity risks and improve the operational resilience of the financial sector. Recognizing the critical role that Information and Communications Technology (ICT) providers play in the operational resilience of financial services, DORA is now holding them accountable.
- In the U.S., the New York State Department of Financial Services (NYDFS) updated the 23 NYCRR 500 regulation titled “Cybersecurity Requirements for Financial Services Companies.” The updates are substantial, encompassing asset inventory, risk assessment, multi-factor authentication (MFA) implementation, business continuity and disaster recovery (BCDR), governance, and CEO/CISO certification. Companies have one year to comply with the majority of updated requirements of the regulation.
- To be FISMA-compliant, government agencies implement security and privacy controls developed by NIST, most recently published in NIST SP 800-53 Rev. 5.
Remaining compliant isn’t just about avoiding fines—it's about building trust, demonstrating a commitment to protecting customer data, and ensuring good business and customer service by minimizing downtime and disruption. Staying ahead of regulatory changes will be crucial for organizations to maintain a robust cybersecurity posture.
SaaS Data: The New Cybersecurity Frontier
The adoption of SaaS solutions has revolutionized how organizations operate, but it has also introduced new risks. Cloud-conscious attacks have increased by 110% between 2022 and 2023, according to the Crowdstrike 2024 Global Threat Report.
According to Statista, in 2023, 43% of respondents mentioned identity and access governance as their main security concern while adopting SaaS. SaaS platforms house a wealth of sensitive data, making them prime targets for cyber attackers. Phishing schemes, data breaches, and misconfigurations are just a few ways attackers can exploit SaaS vulnerabilities. In addition to cyberattacks, organizations must also be wary of non-malicious insider threats. As businesses move more mission-critical data into SaaS and become more dependent on SaaS for selling and services, there is an increased risk of humans making mistakes that cause damage, downtime, and disruption.
To protect SaaS data, organizations must implement security strategies tailored to these platforms. This includes understanding shared responsibility models, implementing multi-factor authentication, encrypting data, enforcing access controls, and continuously monitoring for and mitigating suspicious activity. Note that all of these security measures should be regularly reviewed, tested, and updated as necessary, as security is never a “one-and-done” exercise. And, of course, since no security measure is 100% foolproof, backing up your data is a must.
Leveraging Modern Technology for Defense
The good news? The same technologies that empower attackers can also be harnessed to strengthen defenses. Eventually, AI and automation will help defenders identify and respond to cyber threats quickly. By analyzing patterns and behaviors, AI-driven systems can detect anomalies, flag potential attacks, and even initiate automated responses to contain breaches.
For now, though, there are things everyone can do better to help when they are attacked. Our CISO, Pieter Vanlperen, suggests that these include “detecting anomalies in your operations and having a better understanding of your data and the history of that data. This is important because AI will make maintaining integrity and availability more challenging. Everyone needs to be more honest about what their systems can do, and every business has a responsibility to make sure their data is not tampered with and can be trusted.”
Implementing security frameworks like zero-trust is also pivotal in defending against cyber threats. Zero Trust offers a comprehensive approach to data protection, ensuring "never trust, always verify" across all access points. As John Kindervag stated in the foundational zero trust “No More Chewy Centers” Forester report, “This is especially important as we move to a cloud-enabled technology environment where much of the data sits outside of our traditional data centers.” These trends required a shift in security to embrace deperimeterization, assume compromise, and verify instead of trust. As government organizations work to meet the Zero Trust mandate, private sector companies are also recognizing the importance of adopting this security model to address threats that are growing in scope.
Preparing Your Organization for Cyberattacks
The cyber threats of 2024 are more sophisticated and relentless than ever. However, by taking proactive measures and leveraging modern technology, organizations can build resilient defenses.
At Own, we’re focused on helping customers understand that data protection is an ongoing process, not a one-time setup. Regular testing of backup restores and continuous monitoring of evolving risks in the Salesforce org is essential to maintaining security. That’s why we recommend annual data security risk assessments and leveraging automation to continuously track risks and ensure audit compliance.
Want to learn more? Join us for our upcoming CSA webinar: "Cyber Attacks: It’s Not If, It’s When! Why Aren’t We Prepared?" focused on protecting data in SaaS applications like Salesforce, ServiceNow, and Microsoft Dynamics.
