Cloud computing networks are revolutionizing the business world and, with their limited resources, SMBs are often first in line to take advantage of virtualization.
Unfortunately, due to their absent or budget in-house IT services, they are also high on the priority list of hackers looking to cause damage or to steal sensitive data. Even businesses with limited sensitive data on their systems are seen as a way to gain access to their bigger clients’ networks (for example, the HVAC company whose network access credentials opened up a channel to discount store giant Target in the 2013 data breach, costing them millions of dollars in settlements).
The dilemma between increased operational efficiency and higher exposure to security breaches is one being anxiously chewed over by CTOs and business owners everywhere.
If you decide to bite the bullet and embrace the cloud, here are some tips for minimizing risks.
Automate Security Checks
Security-conscious homeowners make sure they check the locks on all of their doors and windows when they leave the house. IT-security businesses do the same with any data coming into or exiting their networks. There are various types of automated threat detection software on the market and some are able to flag changes to firewall and server configurations and even trigger password change reminders.
Just be aware that threat detection automation is not infallible. It still requires a human being to act on any threats it picks up on and, in the case of malware detection, install security patches. Even then, it may be breached as part of a zero-day exploit.
Cloud services, especially the bigger ones, are often less vulnerable to security breaches than the systems used by their clients. Where sensitive data is concerned, the fewer versions stored on your in-house systems the better.
One simple hack to reduce the risk of data theft is to strictly limit the downloading of data. For example, if you are accessing a sensitive document – such as a scanned bank statement – on the cloud, use a viewer or your browser’s preview function rather than automatically hitting the download button.
There is no point in your cloud provider implementing end-to-end encryption and two-factor authentication only for a dodgy visitor to plug in a flash drive and swipe documents you’ve left lying about on your own PCs.
Use Your Virtual Shredder
As well as reducing the number of downloads, make it a clear policy to delete documents, emails and other data that you no longer need. Leaving emails and documents lying about in system folders – even spam folders or trash cans – not only increases the chance of them being stolen. It also leaves you vulnerable to hidden scripts or infected files.
Adjust the settings of your email server to ensure the spam and trash folders are regularly purged. You can also use the inbuilt Task Scheduler (Windows) or Automator (Mac Os X) to delete, for example, unmodified files of a certain age.
Tokenization is used by many security-conscious firms to protect sensitive data (e.g. card details in retail environments). However, tokenization systems can work with other types of sensitive data too.
In a nutshell, tokenization associates real data with a temporary random alternative (the token). The token then replaces the real data during transfer. If the network has been exploited, the hackers can steal only the meaningless token. Unlike some forms of encryption, there is no formula used to create the token from the original data. Therefore, the hacker will be unable to recreate the real data.
Strictly Control Third Party Apps – and Users!
Businesses regularly underestimate the number of third party apps that are integrated into their virtual networks. Third party apps using APIs are now ubiquitous across the internet but not all follow good security practice.
Carry out regular audits to draw up a list of all of the third-party apps your business uses. Make sure you are running the latest versions, have installed any security patches and that each app meets your company’s security and compliance standards. If necessary, replace those that do not.
If your organization is complex or you are unsure about whether a third-party app is safe, consider outsourcing this function to a professional IT consulting firm.
It is also wise to run a regular third-party user audit. You wouldn’t allow a lodger to retain the key to your home after they leave so be quick to withdraw any permissions you have granted to your systems when access is no longer appropriate.
If you operate a Bring Your Own Device policy, ensure that former employees’ devices are recovered and/or wiped immediately. On the same theme, make sure that you give third-party users and remote workers only the minimum access they need to perform their role. Your virtual call center agents should not be able to access your company accounts!
Moving Beyond Hacks
Taken together, the tips and software hacks above will afford some protection from security breaches but they will never eliminate all danger. Security in the cloud is a process and there is no one-time hack or ‘silver bullet’ product that will render any business immune to the cyber criminals’ persistent efforts.
The best course of action is to invest in proper staff training, lay sound security foundations (strong passwords, robust data protection policies, regular updates, compliance awareness, etc.) and keep up to date with the most recent developments in technology and IT security.