Business Security
By eliminating these errors and blind spots, your organization can make huge strides toward optimizing its cloud usage without exposing yourself to cyber risks.
January 16, 2024
•
,
5 minutes. read
Cloud computing is an essential part of today’s digital landscape. IT infrastructure, platforms and software are more likely today to be delivered as a service (hence the acronyms IaaS, PaaS and SaaS, respectively) than in a traditional on-premises setup. And this appeals to small and medium-sized businesses (SMEs) more than most.
The cloud offers the opportunity to level the playing field with larger competitors, enabling greater business agility and rapid scaling without breaking the bank. This may be why 53% of global SMEs surveyed recent report say they spend more than $1.2 million per year on the cloud; compared to 38% last year.
But digital transformation also carries risks. Security (72%) and compliance (71%) are the second and third most frequently cited cloud challenges among surveyed SMBs. The first step to addressing these challenges is to understand the top mistakes small businesses make during their cloud deployments.
Top Seven Cloud Security Mistakes SMBs Make
Let’s be clear, the following mistakes aren’t just mistakes SMBs make in the cloud. Even the largest and most well-resourced companies are sometimes guilty of forgetting the basics. But by eliminating these blind spots, your organization can make huge strides toward optimizing its use of the cloud, without exposing itself to potentially serious financial or reputational risks.
1. No Multi-Factor Authentication (MFA)
Static passwords are inherently insecure and not all businesses stick to one good password creation policy. Passwords can be stolen in various ways, for example via phishing, brute force methods or simply guessing. This is why you need to add an extra layer of authentication on top. MFA will make it much more difficult for attackers to access applications in your users’ SaaS, IaaS, or PaaS accounts, mitigating the risk of ransomware, data theft, and other possible outcomes. Another option is to switch, where possible, to alternative authentication methods such as passwordless authentication.
2. Placing too much trust in the cloud provider (CSP)
Many IT leaders believe that investing in the cloud effectively means entrusting everything to a trusted third party. This is only partly true. In fact, there is a shared responsibility model to secure the cloud, distributed between the CSP and the client. What you need to consider depends on the type of cloud service (SaaS, IaaS or PaaS) and the CSP. Even when the majority of responsibility lies with the provider (e.g. in the case of SaaS), it may pay to invest in additional third-party controls.
3. Backup failed
In line with the above, never assume that your cloud provider (e.g., for file sharing/storage services) has your back. It always helps to plan for the worst case scenario, which is most likely a system outage or cyberattack. It’s not just the lost data that will impact your organization, but also the downtime and loss of productivity that could follow an incident.
4. Not updating patches regularly
If you fail to patch, you expose your cloud systems to vulnerability exploitation. This in turn could lead to malware infection, data breaches, etc. Patch management is an essential security best practice that is as relevant in the cloud as it is on-premises.
5. Bad cloud configuration
CSPs are an innovative group. But the sheer number of new features and capabilities they release in response to customer feedback can end up creating an incredibly complex cloud environment for many SMBs. It is much more difficult to know which configuration is more secure. Common errors include cloud storage setup so that any third party can access it, and failing that, block open ports.
6. Do not monitor cloud traffic
A common refrain is that today it’s not a matter of “if” but “when” your cloud environment (IaaS/PaaS) is hacked. Rapid detection and response is therefore essential if you want to spot the signs as early as possible and contain an attack before it has the chance to impact the organization. This makes continuous monitoring essential.
7. Not encrypting the company’s crown jewels
No environment is 100% breach-proof. So, what happens if a malicious party gains access to your most sensitive internal data or highly regulated personal information about your employees/customers? Encrypting it at rest and in transit will ensure that it cannot be used, even if it is obtained.
Secure the cloud
The first step to combating these cloud security risks is to understand where your responsibilities lie and what areas will be managed by the CSP. Then it’s a matter of determining whether you trust the CSP’s cloud-native security controls or want to enhance them with additional third-party products. Consider the following:
- Invest in third-party security solutions to improve the security and protection of your cloud for your messaging, storage and collaboration applications, in addition to the security features built into cloud services offered by the world’s leading cloud providers
- Add expanded or managed detection and response (XDR/MDR) tools to enable rapid incident response and breach containment/remediation.
- Develop and deploy an ongoing risk-based patching program based on solid asset management (i.e. knowing what cloud assets you have, then ensuring they are always up to date)
- Encrypt data at rest (at the database level) and in transit to ensure it is protected even if attackers get hold of it. This will also require efficient and continuous data discovery and classification.
- Define a clear access control policy; mandating strong passwords, multi-factor authentication, principles of least privilege, and IP-based restrictions/allowlists for specific IP addresses
- Consider adopting a Zero Trust approachwhich will incorporate many of the above (MFA, XDR, encryption) as well as network segmentation and other controls
Most of the measures above are best practices that one would expect to deploy on-site. And at a high level they are, although the details will be different. Most importantly, remember that cloud security is not solely the responsibility of the provider. Take control today to better manage cyber risks.