People are becoming increasingly complacent about security risks, particularly in relation to customer data. One of the reasons that cloud technology can increase this complacency is that ‘out of sight is out of mind’.
Given that cloud technology is most frequently accessed via the public Internet, all of the risks inherent with using web applications apply. You need only look to the ‘Open Web Application Security Project (OWASP) Top 10’ which provides a list of the 10 most dangerous web based application security flaws to understand how many different and creative ways there are for hackers to breach your systems and data.
Because users generally don’t understand where customer data is being hosted, or by whom, they may well switch off and see it as someone else’s responsibility to protect their customer data.
It is important that people understand, at least at a high-level, the risks around cloud technology and what they can and need to do to protect themselves and their customers.
Falling at the first hurdle
The most common security mistake enterprise users make is to assume that data protection and data security is the responsibility of the IT department.
The IT team are of course responsible for carrying out strong and effective due diligence on their Cloud suppliers, but everyone has a role to play.
As people have become more willing to share personal information online through social media and other through other digital platforms (e.g. internet banking), this has led to a ‘culture of complacency’.
As the use of public cloud services has increased, so has the tendency to use one password to access everything – email, social media accounts, banking and so on. Because people have so many websites they login to on a daily basis, arguably this makes sense.
The problem with that is that people often extend this practice to corporate logins – using personal information and/or the same password as they use online – to make life easier.
If therefore, the user is unfortunate enough to have their email account hacked for example, the hacker can then use this password to gain access to the user’s other online (and potentially corporate cloud) applications as most logins are based on a combination of email address and password.
This is possibly a generational issue – younger people trust technology more, have grown up being willing to share more over the Internet and they bring this behaviour to the workplace.
They also expect technology to integrate with their lifestyle, not be separate so it’s not surprising in an age where BYOD (Bring Your Own Device) is becoming more common that employees see corporate systems as part of their personal technology set.
And more remote, peripatetic employees mean more mobile devices and laptops are being used to access applications and handle data. These devices are often used by employees for personal use and so the lines become blurred.
Appropriate use of public cloud technology should be seen as no different to other corporate systems. Clear policies need to be developed by the company covering appropriate use, particularly where users are using their own device to access corporatecCloud systems and/or accessing other corporate cloud systems such as email from their personal devices.
An acceptable use policy specifies the ways in which the user can access and use corporate applications and needs to cover all of the key areas such as data handling, data protection, computer access control (e.g. password management), email and internet use and use of mobile storage devices.
When cloud goes wrong
In the Not for Profit (NFP) sector there have been some pretty high profile security issues. As recently as last week (28 Jan) The Scouts Association has taken down its database, which according to The Register, holds the records of nearly half a million young people and adult volunteers as a result of the discovery of a potential security vulnerability. Access to this database was made available to Scout members via the public internet.
There are concerns as to the security of the database that is accessible only to Scout Association Members, in particular around the extent of member access to data.
At this stage there is no evidence to suggest that there have been any breaches in security, but the Association has disabled member access as a precaution as it investigates further.
In early January, Computer Weekly covered the ICO ordering the Alzheimer’s Society to improve data protection.
The order was issued after the ICO found that volunteers at the society were using personal email addresses to receive and share information about people who use the charity, were storing unencrypted data on their home computers and were failing to keep paper records locked away.
This example shows how the failure to lay down and enforce an acceptable use policy can lead to some very serious outcomes for the organisation.
As well as issues around the security of personal data, the charity’s website was hacked in 2015, putting at risk about 300,000 email addresses, 66,000 home addresses, phone numbers and some dates of birth.
The Alzheimer's Society example also illustrates the combined danger posed when a breakdown in business processes occurs plus a technology breach.
Cracking the code
By implementing best practice codes of conduct around security processes and ensuring that employees understand the reasons why these processes have been put in place and the dangers faced by not carrying them out to the letter.
It may appear to be a little like ‘teaching your Grandmother to suck eggs’ but password protection is a great place to start.
Good password standards ensure that employees use a minimum of 8 characters and include uppercase, lowercase, numeric, and special characters. Passwords should not include personal information (name, address, birthdays, pets’ names) and should be regularly changed (every 6 months minimum, 3 months ideally).
It is vital that employees understand they do not reveal their password to anyone, nor should they write passwords down. We suggest our employees explore memory tips and encourage them to – say it, repeat it, visualise it.
Technology can force people to comply with the best practice processes to some extent, but it's also a great idea to carry out quarterly audits to check that employees are following the procedures and understand what’s expected of them.
Every single person in the business should see it as their responsibility to protect themselves and their customers from external security threats. This needs to start with a good, clear and enforceable policy and be backed up with regular, simple communications to remind people of what is expected.
Sourced from Jenny McTiernan COO, ProTech