Organisations are using Cloud services more than ever. In fact, according to a report by software firm Flexera, 92% of organisations use more than one, with the average respondent using 2.6 public Clouds and 2.7 private ones.
There are obvious benefits of this, from greater accessibility to automation and synchronisation. However, many people believe that using a Cloud storage provider will boosts their cyber security posture – and although there’s some truth to that, it doesn’t present the whole picture.
After all, information stored in the Cloud is still held in a physical location, and if it’s accessible to you, that means it could also be accessible to cyber criminals.
In this blog, we look at three risks that come with Cloud storage and help you find ways to protect your organisation.
1. Remote workers
Most organisations should have access controls on their internal systems to ensure that information is only viewable to certain members of staff. Doing so reduces the risk of insider threats, and mitigates the damage should a cyber criminal compromise an employee’s account.
These are threats that even more prominent for remote workers than those in the office, thanks to the increased data protection risks.
Indeed, with traffic on the Cloud from remote locations across the country – or, in some cases, across the world – it can be difficult to spot the difference between a home worker accessing a database legitimately and a cyber criminal exploiting your systems.
That’s why it’s equally important to ensure that access controls are extended to Cloud systems. Sometimes this is as simple as only providing accounts to employees who need to use the system – but you might find that there is information within those systems that needs to be further restricted.
Depending on the service you use, it might have in-build access controls that the administrator can adjust accordingly. On other occasions, though, the organisation might be required to establish access controls on its end.
2. Regulatory failures
When organisations store personal data in the Cloud, it creates a series of issues related to GDPR (General Data Protection Regulation) compliance.
For one, the reliance on Cloud storage can make it difficult to keep track of how much data is stored, who views it and how it flows through each part of the organisation.
That could result in large volumes of data sitting in folders unnecessarily, which would be a violation of the GDPR’s data retention requirements.
Another issue is that the Regulation makes it harder for data controllers to pass the blame when a third party, such as a Cloud service provider, suffers a data breach.
Data controllers must give instructions on how service providers handle personal information. Unless the third party has explicitly failed to meet one of the requirements, both organisations will be subject to disciplinary action should a data breach occur.
This is particularly important when it comes to Cloud services, because of the nature of the relationship between organisations and the risks involved.
3. Cyber attacks
Information stored in the Cloud isn’t impenetrable; a cyber attacker can target it just as they would data stored on your own systems. Indeed, one common is to send a phishing scam designed to steal the Cloud login credentials of an employee.
If that happens, you need to understand how it will affect your organisation and the steps you should take to respond.
One way to tackle this this threat is to ensure that you have backed up any information stored in the Cloud. Ideally, you should follow the 3-2-1 rule of secure backups, which states that you should have:
- At least three versions of your data
- It should be held on two separate media; and
- One of them should be located off-site.
This principle should ideally be covered in your business continuity plan. By implementing such a plan, organisations will gain a greater understanding of the risks they face and will be forced to acknowledge the possibility of data loss from the Cloud – in addition to any number of other disruptive incidents.
Indeed, effective business continuity planning helps organisations cope with incidents affecting all of their business-critical processes and activities, from the failure of a single server to the complete loss of a major facility.
You can find out more about business continuity planning by downloading our free green paper: Business Continuity and ISO 22301 – Preparing for disruption.
It explains the fundamental components of best-practice business continuity management, and shows you where the international standard ISO 22301 fits in.
The guide also outlines our step-by-step approach to implementing a business continuity management system, with tips to help you simplify the process.