Cloud services are an integral part of modern business, something that COVID-19 has proven more than ever.
Separated from the office and local hard drives, employees rely on remote servers to view files and databases in real-time – thus ensuring that business as unusual continues.
But as is almost always the case, the benefits of convenience come with security risks. Let’s take a look at what you need to know about staying safe while using Cloud services.
The Cloud is not immune from data breaches
Some people mistakenly believe that storing information in the Cloud removes the risk of data breaches. There’s a kernel of truth in that, because the way organisations approach cyber security will change when they use Cloud services.
That said, information in the Cloud is still stored in a physical location – a third-party server as opposed to your own – and if it’s accessible to you, then it’s accessible to criminal hackers.
The only difference is that you now share the responsibility for its security with the Cloud service provider.
This generally means that the third party will take responsibility for the physical security of its servers and its general upkeep, while organisations must protect the way information is accessed on its end.
Unfortunately for those who think Cloud storage makes data protection easier, the majority of incidents are associated with the organisation. Indeed, a Gartner study found that 95% of Cloud breaches are the result of the result of misconfigurations.
The most common of these errors are employees uploading a database to the Cloud but failing to establish password protections. That means that anyone who gains access to the location of the database has free access to it.
It’s a frustrating error, because its easily avoidable and criminals can exploit it with almost no hacking expertise.
This is something organisations need to be especially concerned about during the pandemic.
With traffic on the Cloud from remote locations across the country – or, in some cases, across the world – it can be difficult to spot the difference between a home worker accessing a database legitimately and a cyber criminal exploiting your systems.
Indeed, the rise in remote working has brought countless risks like this, which you can learn more about in our free infographic.
Meanwhile, you can look at other security risks specifically associated with the Cloud in the rest of this blog.
Cloud computing security risks
In addition to human error, you should also consider:
- Unreliable subcontractors
Subcontractors can make mistakes just as anyone can – particularly if they’re cutting corners to get the job done quickly.
Unfortunately, many organisations rely on subcontractors because they don’t have the expertise to establish a Cloud computing network themselves. If you find yourself in that position, make sure you use a reputable service provider.
- Public networks
Public Internet connections are, by their nature, more open and accessible than private ones. That makes them easier to use but also increases the risk of data breaches. Organisations must therefore decide whether the risks of using a public network outweigh the benefits.
- Deleting data when necessary
Organisations can easily lose track of how much data they store in the Cloud and how it flows each part of the business.
This means you could end up with large volumes of data sitting in folders unnecessarily. That will cause GDPR (General Data Protection Regulation) headaches, as you’re only permitted to hold on to personal data if you have a lawful basis to do so, but it will also exacerbate the risk of data breaches.
Cloud computing and the GDPR
Data retention isn’t the only GDPR-related concerned that organisations should have when using Cloud services.
Another huge issue is that, under the Regulation, it’s harder for data controllers (the organisations that dictate what information is processed) to pass the blame when a third party suffers a data breach.
Data controllers must give instructions on how service providers handle personal information.
Unless the third party has explicitly failed to meet one of the requirements, both organisations will be subject to disciplinary action should a data breach occur.
This is particularly important when it comes to Cloud services, because of the nature of the relationship between organisations and the risks involved.
Because information is stored online, it only takes one misconfigured database of phishing email for a breach to occur – and it won’t necessarily be clear where exactly the fault lies.
Secure your Cloud services
You can find out more about this topic by reading Securing Cloud Services: A pragmatic guide.
Written by security architect Lee Newcombe, this guide explains how Cloud computing works, the threats you must be aware of and how to develop a service model that protects you and your staff.
A version of this blog was originally published on 20 March 2020.