With 94 per cent of businesses using cloud services in some way, cloud computing is quickly becoming one of the world’s most popular technology services. From the financial sector to retail, the cloud offers companies in every industry flexibility and cost savings.
However, before you move your business processes to the cloud, you should know the basics of cloud cybersecurity. This guide explains the risks and benefits of the cloud, how to assess vendors’ security measures and what your company needs to do to boost security when using the cloud.
Cybersecurity incidents can lead to devastating financial and reputational losses.
Case management software provides all the information you need to identify patterns and spot recurring cybersecurity incidents. This free eBook explains how it can help you track and manage incidents and report on results for effective risk management and prevention.Get the eBook
Jump to a section:
When using any emerging technology, it’s natural to hesitate and weigh the risks. The top concern for many organizations is security. However, Gartner predicts that public clouds will experience 60 per cent fewer cybersecurity breaches than traditional data centers.
If your organization processes sensitive data, such as medical records, financial information or legal data, you might be especially worried about security. But any type of data can be stored safely in the cloud. “I don’t believe that there’s anything that can’t be hosted in the cloud for . . . security reasons,” says Dean Iacovelli, Director for Secure Enterprise at Microsoft. “Even the DOD, even the three-letter agencies, [are] leveraging the cloud more and more for many of their services.”
You might also worry about putting your compliance into the vendor’s hands. Failing to comply with data security and privacy regulations, such as GDPR and CCPA, can have major consequences. If you choose a vendor that isn’t familiar with the compliance needs of your industry, you could risk a damaging lapse.
“There is almost no question in practical detail that you . . . improve your security by moving [data] to the cloud. What people are actually objecting to . . . is loss of control,” says Iacovelli. If something goes wrong, you can’t work to fix it right away in-house. Instead, you have to log a ticket with your vendor and wait for them to get to you. If you’re a fast-paced company, losing the ability to work for even a few hours could be devastating.
Concerns aside, using the cloud can benefit your organization in a number of ways.
As mentioned above, data security actually improves for many companies. Iacovelli explains it this way: when you choose a high-quality vendor, you’re getting the benefits of a billion dollars’ worth of cybersecurity tools and knowledge while only paying for the portion that your company uses.
It’s the same idea as using your city’s electricity infrastructure. You benefit from the services of the entire system, but are only billed for the amount of power your company used.
Similarly, using the cloud can increase your company’s compliance. You benefit from the high cybersecurity standards of your vendor without paying to implement such measures in-house.
Reputable cloud vendors stay up-to-date on regulatory requirements, emerging cybersecurity threats and best practices. Updating your data storage and processing procedures in-house can take a lot of time and money, but if you use the cloud, your vendor will automatically do it for you.
Using the cloud also helps you protect your company’s business continuity. Many vendors have servers in various locations around the world, so if a disaster happens in one place (e.g. flood, fire, break-in), your data will still be safely held somewhere else. If you store all of your data on-premises, one incident could mean a complete, devastating loss.
One of the most appealing benefits of the cloud is its ubiquity. You can access your company’s data from anywhere without compromising security. Do you need to work on an urgent task while on vacation? Easy. Do you employ remote employees? No problem. No one is tied to the office to access their work.
Finally, and perhaps most importantly, storing data in the cloud saves money. Storing data on-premises is your most expensive option, and it also requires the most in-house upkeep. For a moderate price, you can host on a private cloud.
The most cost-effective choice is to hire a hyperscale vendor (one that can accommodate millions of users) on a public cloud. Once again, the using the shared infrastructure reduces cost without reducing quality of service.
You might choose the most secure cloud vendor in the world, but if your organization doesn’t do its part for cybersecurity, you could still suffer a breach.
First, be sure that employees protect their work identities. Enable multi-factor authentication for accessing the cloud and other work systems. Prompt password changes every three to six months. Require employee passwords to be hard to guess, containing:
- No part of their name
- A capital and lowercase letter
- A number
- Eight or more characters
- A special character
In addition, run mandatory cybersecurity training each year for all employees to remind them of best practices. This should include information on types of online scams, as well as a refresher on relevant policies such as:
- Clean desk policy
- Acceptable use policy
- Bring your own device (BYOD) policy
- Information/data security policy
- Incident response policy and/or plan
- Email policy
- Social media policy
- Remote access/work policy
- Disaster recovery policy
Companies also need to strengthen their internal email security. Start by increasing endpoint security and implementing a spam detection system.
Cybercriminals not only steal credentials, but also use them to trick employees into giving them even more sensitive information, including administrator access to your data. Securing company emails reduces the risk of both.
Our free policies and procedures template can help you write the strong documents your employees need for guidance. Download it here.
When choosing a cloud vendor, don’t just go by the cost or the name. Assess each option’s cybersecurity measures to determine which best fits your company’s needs.
To do so, Iacovelli suggests asking the following questions:
- Do they meet compliance requirements? You are responsible for the actions of your vendors and other third parties that complete tasks for you. If they suffer a data breach or compliance lapse, you risk facing penalties and lawsuits for their actions.
- What’s their track record? Have they suffered any major breaches? A history of incidents is a good indicator that their cybersecurity measures aren’t robust.
- What are their cybersecurity partnerships? Do they have any business alliances or pool resources with other companies? Are they reaching out and trying to be an active member of the cybersecurity community?
- Do they handle cybersecurity in-house or outsource? Is cybersecurity a core competency of their business? Because data protection is so important, you want to look for experts in their industry.
- What tools/platforms do they use for security? Can they handle your volume of data? Look for a vendor that can handle your workflows. Check to see if they use automation or AI for simple data security, allowing human staff to delve deeper into more complex threats.
Iacovelli notes that phishing will continue to be a cybersecurity risk for all internet users, including those using the cloud, in the future. Phishing schemes aim to gather information about the victim, most commonly user names and passwords, but also financial information and other sensitive data.
Using an email or text message, the scammer tricks the victim into clicking a malicious link. This installs malware on the device, or cons them into entering their credentials on a legitimate-looking site (e.g. a dupe for their bank’s home page).
Even the strongest security measures can be circumvented with stolen credentials, Iacovelli says. This is why companies need to reduce their reliance on passwords and enable multi-factor authentication for employees. If a fraudster gets ahold of an employee’s cloud log-in credentials, they could cause astronomical financial and reputation damage for your company.
With the rise of remote work, more organizations might adopt a cloud-based workplace as part of their cybersecurity risk management. Keeping data in-house complicates security when you have a virtual workforce. “Managing the risk around letting people connect to their business applications from [their] computer at home . . . becomes part of your IT security headache,” says Iacovelli.
“Instead of everything being behind your firewall, in silos, behind VPNs, and stuff like that, all of those things impede access and make things more complicated. Whereas in the cloud, you can access everything from anywhere.”
Security in a cloud-first, mobile-first world calls for new approaches. Watch our free webinar to learn current trends and strategies to mitigate your cybersecurity risk from Dean Iacovelli, Director for Secure Enterprise at Microsoft.