Why the cloud isn’t Colditz

Recently I saw a business owner ask on LinkedIn: “All my stuff is in the cloud. Why do I need to worry about security?”

It’s a legitimate question. Can you just put your data in the cloud, and wash your hands of it? After all, your provider is presumably using some industrial-grade level protection. So you hope, anyway.

But consider this. Not long ago, a digital design agency in Sydney had their server go down. There were no backups. Most of the companies using it had relied on the design agency to keep their data safe, but it wasn’t. Seven of the 12 businesses running on that server went bust. They sued, and the design agency declared bankruptcy. Everybody lost.

Being “in the cloud” can lull companies into a false sense of security. But any company still has many points of vulnerability that they need to protect. Cloud doesn’t mean that someone is taking care of everything for you.

Data protection responsibility

Consider the applications you’re running on the web.  A company that literally has a website only – no transactional ability – would possibly survive losing their data. Most businesses, however, are still handling customer data in one shape or form. It’s your responsibility to protect that data. Relying on a cloud provider isn’t enough: even if you’re with Amazon Web Services, who uses state-of-the-art security when it comes to your server, your provider isn’t going to be responsible for your applications’ data.

If someone can gain access to your systems, they can get into your cloud and steal or corrupt your data. They can also delete all your backups, or encrypt and hold them to ransom. This isn’t something your cloud provider’s standard setup usually protects you against.

Another point: while cloud providers are supposed to do backups, they may still fail to do so. You need to do your own backups independently of what’s going on in the cloud. Australian law requires that companies are supposed to hold records for seven years. If someone else loses your data, it’s still on you, legally and reputation-wise.

A security and compliance plan

Every business needs to create a plan for security and compliance in the cloud. This should start with a proper security audit, which will address as many potential vulnerabilities as possible. Mobile devices and the Internet of Things are bringing thousands more devices onto corporate networks, representing many more potential access points for hackers.

Security professionals will also have to audit human vulnerability as well as the tech side of things. A typical strategy is to drop a “rubber ducky” or “bash bunny” USB on the floor. This is a USB pre-loaded with malware that gives a hacker control of your computer. The chances are that some employee will pick it up and plug it into the network, giving hackers (or security testers in this case) access. The security testers may also try to manipulate your staff into giving them passwords or other critical data through spear phishing attempts. These are all areas that your cloud provider can’t secure for you.

IDC forecasts worldwide revenues for the security sector will reach USD $101.6 billion in 2020, led by security-related services; security software was the second category. Endpoint security, identity and access management, and security and vulnerability management software are all hot areas as well.

For better security, try this five step approach.

On your office infrastructure:
  • Scan all your computers regularly
  • Run up-to-date virus scanners on everything
On your website:
  • Run an automated scan from a reputable site such as Acunetix
  • Get someone to do a Tech Audit
  • Get someone to do a Security Audit if you are handling sensitive data

The cloud is not a fortress. It’s not Alcatraz. Ignore the security of your own network, applications and data and you will surely pay a high price for it.

Simran Gambhir is the founder of technology and software solutions provider Ganemo Group. He was previously CTO for Flybuys and News Corp’s digital arm.

This article was originally published by Computer World.