CIS Controls™ for SaaS – Part 5: Security Awareness and Skills Training

You are reading the third post in our series on applying CIS Controls™ to SaaS. If you are only joining now, here is what you have missed:

• Series: What are CIS Critical Security Controls® and Safeguards and how do they apply to Software-as-a-Service (SaaS)?

• CIS Controls™ for SaaS – Part 1: Inventories

• CIS Controls™ for SaaS – Part 2: Account and Access Control Management

• CIS Controls™ for SaaS – Part 3: Secure and Audit

• CIS Controls™ for SaaS – Part 4: Data Protection and Recovery

SaaS applications are at risk of the same attacks as many on-premise systems, e.g. phishing and credential theft. Furthermore, as SaaS applications are publicly accessible by definition, protecting e.g. access credentials is particularly important.

Control 14: Security Awareness and Skills Training

Safeguard 14.1: Establish and Maintain a Security Awareness Program

Security awareness training should explicitly cover the use of SaaS applications. Beyond covering the usual scenarios of phishing or pretexting attacks, the ease of introducting unauthorized SaaS applications to an organisation means that staff need to be made aware of the risk associated with that as well. Ideally, SaaS applications should be monitored for risky behaviour (e.g. excessive file sharing, unsafe mail forwards, etc.) and awareness training delivered contextually. The data used to delivering such data-driven security awareness training may also include monitoring for use of unauthorized SaaS applications.

The official guidance recommends training as part of new staff onboarding and manual retraining. The materials used for training should be reviewed and updated at least annually or when major organizational changes require re-alignment.

Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks

As SaaS solutions are used across the entire bandwidth of business applications, it is important that users are able to recognise common attacks like phishing or pretexting and how they can put SaaS accounts and data stored in SaaS applications at risk.

Safeguard 14.3: Train Workforce Members on Authentication Best Practices

We have already covered in Part 2 that multi-factor authentication should be enforced in all SaaS applications. However, as even with enforcement it is possible to temporarily have MFA disabled, it is important that SaaS users are aware of the importance of MFA.

Furthermore, SaaS users should be aware of the risks of weak passwords, password reuse or unsafe credentials storage, particularly in light of these credentials being valuable to an attacker without the need of physical or local network access.

Safeguard 14.4: Train Workforce on Data Handling Best Practices

As SaaS data lacks all the perimeter protection that may be available with on-premise (and even cloud) systems, it is imperative that SaaS users are made aware of the risks of account sharing, file sharing and mail forwards as well as SaaS-to-SaaS connections.

Safeguard 14.5: Train Workforce Members on Causes of Unintentional Data Exposure

Particularly for SaaS applications which are used for email or file sharing, it is important that users are aware of the danger of anonymously sharing files (e.g. anyone who knows the sharing link has access) or forwarding email to external email addresses, particularly personal ones which may have a lot less protection that those managed by the organisation.

Safeguard 14.6: Train Workforce Members on Recognizing and Reporting Security Incidents

SaaS users need to be trained on ways SaaS accounts (and whole tenants) can be compromised. This may entail reporting when credentials may have changed by an attacker and the legitimate user no longer has access, spotting and reporting suspicious file in file storage applications or unnecessary anonymous sharing within the organization. Furthermore, the usual need for awareness in regards to phishing and social engineering attacks and reporting of such attempts applies to SaaS as well.

Safeguard 14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

As SaaS applications are globally available and not subject to the organization’s security controls for access, users need to be aware of the dangers of using insecure networks to access corporate SaaS applications. In particular, they need to be aware of the dangers of using SaaS applications which do not encrypt data in transit in any context but even more so in the context of insecure networks.