Marla Ovenden-Cooper Archives

As of 2020, the cloud computing market reached 371.4 billion dollars worldwide, with 94% of enterprises using the cloud in at least some aspects of their business. More and more medium and small-sized businesses have migrated to the cloud with the Covid 19 pandemic accelerating the adoption of the cloud. As time moves on, some of these businesses that initially felt the need to quickly adjust are now asking themselves, “Did I make the right choice? Or do I want to continue to use the cloud?” We thought we would help out these decision-makers by sharing some of the risks, benefits and tips to securing the cloud.

Risks of Doing Business on the Cloud

One of the greatest concerns when evaluating the use of various cloud services is confidentiality. Specifically, unauthorized access of company data and client information. Since third-party providers have access to your data, the risk of insider threats is a consideration. Unauthorized access also includes external cyberthreats. These cyberthreats take advantage of any vulnerabilities and security defects in the cloud. Finally, when considering transitioning to the cloud, disaster recovery should be considered. Migration to the cloud results in loss of control over disaster recovery. The speed and ability to respond to a disaster are limited by your cloud service provider.

Why Use the Cloud?

Since using the cloud may increase risks, why would a business want to use it? Businesses need to use the cloud in many cases to compete and operate efficiently. The increase in work from home and project sharing makes the remote accessibility of the cloud appealing. The ability to quickly scale up or down allows for the flexibility many businesses require. Many cloud providers include automatic updates to the most up to date software and servers, which means one less item for the IT team to manage. Believe it or not, security may also be one benefit to consider when migrating to the cloud. Depending on your business, size and your security model, you may find your cloud service has greater security than what you currently have in place. For example, some cloud providers backup your data at different data centres, ensuring that if your original data is lost or corrupted then you have access to the backup data. Of course one of the greatest influencers when considering business decisions is managing costs. Some small and medium-sized businesses will find renting added server space may be more economical as they can adjust to peak times and lower revenue making times in their business.

Tips to Securing the Cloud

Use multi-factor authentication for all usernames and passwords. Stolen credentials is one of the main ways that hackers are able to gain access to your company data.
Ensure your cloud system uses encryption.
Minimize user access. Users generally do not need access to every part of your cloud infrastructure. Only providing access to the relevant content for each user ensures that there are less chances of user credential theft affecting cloud security.
Backup your cloud system. Backups may be done directly on the cloud, but you may also do it manually on your own server, a secondary cloud server or a portable device like a portable hard drive.
Ensure your team is trained on cloud security. Cybersecurity training for cloud computing such as the Arcitura Cloud Certified Technology Professional and CompTIA Cloud+ include training that focus on understanding and comparing cloud platforms and cloud security from a vendor-neutral perspective.
Test your system using a cloud penetration tester. Penetration testing, or pentesting, will help to identify risks, gaps and vulnerabilities in your cloud infrastructure.
Consider using an MSP provider to help manage your cloud services if your resources are limited. Ensure that your MSP provider has staff that are trained and regularly take cybersecurity courses to keep up to date on the current threat landscape.
Ensure your onboarding and off-boarding processes address cloud security. New employees should be granted only the access that is required. Off-boarding processes should include restricting access immediately to protect against disgruntled past employees.
Read all privacy policies when signing up for cloud services. You should also immediately set up your privacy settings to reflect your company needs.
Use strong passwords. Password management is something that cybersecurity professionals have been raising awareness about for years. Passwords need to be unique, have numbers and letters and are longer than 15 characters. To do this effectively, many use a passphrase or password manager to help them remember.

If you are a decision-maker and want to learn more about the cloud, but don’t feel you have the IT skills for some of the more advanced courses, you could take the CompTIA Cloud Essentials+ course. This course will help you to understand the basics of the cloud and provide insight into questions and considerations when considering your cloud or multi-cloud strategy.

Gone are the days when CEOs ask if they will experience an attempted breach. Now CEOs and the C-Suite know that cyber breaches are a significant threat and that waiting for an event to occur before developing a plan is poor practice. Having an effective plan can prevent data loss, minimize damage to the brand reputation, and prevent financial losses due to downtime or fines.

It Is More Than Just Checking Off Boxes

The need for an incident response plan is well supported, however, the incident response plan is not about checking off a box that says “We have a plan in place”. If you are a member of the C-Suite you have likely already been asking yourself are we prepared for an event? Of course, if you are a CISO or CIO you likely already know the answer. However, leaving the responsibility of being able to assess the effectiveness and preparedness of the company in the hands of one person can be problematic. Other C-Suite members should remember that they have a vital role to play regarding information security and cybersecurity. The role will need to increase as technology accelerates. Consider when was the last time that you reviewed the incident response plan? How much time has been devoted to analyzing cybersecurity, information security and their potential impacts on the company? The past two years have seen significant changes in digital transformation and cybersecurity. If time has not been dedicated to this within the past two years, now is a great time to do so.

Of course, deciding to review the IT security measures and evaluate effectiveness is the easy part. Knowing the questions to ask the team is another. Below you will find a list of our top 5 questions that you should be asking your CISO.

1. What is our biggest cyber risk right now?

You need to know your enemy before you can create a plan to combat them. Knowing what the biggest risk is today will allow you to strategize or assess the strategy you are currently using to determine effectiveness.

2. How are we dealing with third party vendors?

There are three key components to this question that need to be addressed.

First, how are the third-party suppliers or vendors vetted? Are they required to have cybersecurity policies that align with your company? For example, requirements such as annual or quarterly cybersecurity training for all staff. Are they asked to meet specific information security standards such as being IS0 27001 certified?

The second important concern surrounds access. Is the concept of least privilege being applied to third parties? Are they only allowed access to what is absolutely required?

Finally, what is being done regarding the inventory of third-party access and devices? Where can this inventory be found?

3. How much time is devoted to the incident response plan? When was the plan last reviewed?

Incident response plans require testing so that the team can practice and also that there can be regular improvements made. Teams need to review challenges found in the last test and update strategies and the plan to overcome these challenges.

4. Are legal and communications included in our incident response plan?

The areas of legal and communications are key when an incident occurs. Do these teams participate in the testing scenarios? If not, when was the last time that the plan was actively reviewed with these team members?

5. How would you rate the company culture as it relates to cybersecurity?

Human error is one of the largest cybersecurity concerns, gauging the temperature of cybersecurity awareness for all employees is key to any cyber plan. Does the team require cybersecurity training? Are there members of the IT department that are looking to upskill and take additional IT training courses that will benefit the security team’s ability to address long-term information security plans?

Looking to find more information on questions to ask your security team? Check out our blog Questions CEOs and CFOs Should Ask Their Cybersecurity Teams

What You Should Know About Cybersecurity and the Cloud