We’ve posted repeatedly about cyber-security and the need to be more vigilant and more careful, and we’ve shared real-world stories to reinforce the concern. It’s a concern then that we still see a number of organisations that remain reluctant to increase their protections. This might be due to the increased cost or complexity, or a sense that these things only happen to other people.
We want to be very clear – whenever we look, we see hacking attempts on clients. It seems clear that every organisation is being attacked. Sometimes these are quite simple, such as attempts to test common passwords against known user names (e.g. the email addresses we all share). It is obvious that the attacks are stepping up and at some point, the hackers will find a weakness to exploit. While no one can promise to prevent hacks, there are some things you can do to reduce these weaknesses.
One step is to take advantage of cloud services for as much as possible. Organisations used to be worried that the cloud exposed them to more risk but it has long since become apparent that the scale of cloud providers means they can invest in protections that we simply can’t afford to do for inhouse IT systems. (Refer Are your files secure in the Cloud? (microsoft.com)
But just because something is in the cloud doesn’t make it secure
We still need to apply some basic steps.
Our response has been guided by best-practices and recognised standards. While there are a few standards for cyber-security, they all have a great deal in common. They tend to help businesses take a complex challenge and allow them to break it down into manageable sections to help ensure businesses don’t overlook vital elements.
The NIST (US National Institute of Standards and Technology) framework is particularly useful with their 5 modules – Identify, Protect, Detect, Respond and Recover. Cybersecurity Framework | NIST. There are a lot of recommendations there that we apply in our KARE for Security offering.
There are also these 5 steps that anyone can do right now, to protect themselves, their staff and their clients :
1. Understand your responsibilities and your cloud partner’s commitments
While the cloud provider has committed to a set of responsibilities., they will also expect you to play your part. They are highly incentivised to maintain a secure platform, and the last thing they want is a breach because that will destroy their business. That means they need their clients to play their part, using secure passwords, multifactor authentication, secured endpoints and so on.
Every service will be a little different. We recommend you carefully read over the contract, understand the language used, and take note of your security responsibilities so proper steps can be taken in day-to-day operations.
2. Actively maintain your accounts and configuration
Ensure you regularly review your use of the system to ensure you are meeting your obligations. These might include:
– Ensuring all users have MFA turned on.
– Passwords are strong and complex.
– If appropriate, only authorised devices can access the cloud solution.
– Old user accounts have been disabled.
– No current user has more access rights than they require.
– Review logs and security settings within the cloud tool, and any recent vendor security blog posts – for example, if new encryption tools are available, are you able to use these?
3. Assess the content you are keeping in the cloud tool
With recent changes to privacy laws, make sure you know what sort of data is being kept in the cloud tool and what access rights are applied to it.
– Remove data you don’t need to keep, as that will reduce your risk and reduce the scope of harm should a compromise occur.
– Check the security on the data you maintain on the cloud tool.
– Assess what data may have been archived from the tool (for example downloaded to a spreadsheet or folder) and check that is secure as well.
4. Awareness and user training
We’ve learned that people are our biggest risk. Its vital to create a culture of security and data privacy. In our business, we have set up a security and privacy committee that mimics the processes of Health and Safety, monitoring hazards and near misses and making recommendations.
That has confirmed that most risks are human. Educating colleagues and refining processes are key to reducing exposure.
Every organisation has more cloud platforms in use than they realise, as many can be as simple as being a basic web portal to access a supplier service. These are set up by your colleagues and so its necessary that they recognise these and highlight them so you can make sure you are maintaining your obligations.
Helping colleagues with training, awareness and guidelines on cloud use and security needs to be ongoing as the tools change, the vendors update them, new ones are added and old ones removed, and of course your colleagues change as well.
5. Simplify where possible
With the increase in remote working, there has been more acceptance of cloud tools and more willingness to try new things. Most organisations now have more cloud solutions than they realise. For example, groups of users might adopt different tools for similar challenges based on individual preferences.
Clearly reducing your surface area reduces your risk. We recommend consolidating to a core set of cloud providers. This allows you to concentrate on securing a more manageable number of cloud providers.