It has been well documented that cloud providers work hard to protect your data, and generally offer more security, innovation, and data protection than you could justify spending—it’s just what happens when a company is managing more data than an average enterprise handles, and would go out of business if it was ever discovered that they were lax in security.
However, you can’t just put all of your data up in the cloud and call it safe. Recently, the Small Business Center of Excellence held a webcast on small business cybersecurity strategies, inviting a leader in the cybersecurity arena, Jerry Irvine, CIO of Prescient Solutions, to speak on important strategies for embracing cybersecurity. While he spoke of many things, one thing that resonated with us was this: While cloud providers do great work to lock down your data from their end, many businesses are still getting some of the most basic user-side security practices incorrect.
Three Tips for Locking Down the End-User Side of the Cloud Security Equation
Using one example, Mr. Irvine explained that just because a cloud provider has enterprise-level security, they also allow you to make poor security decisions such as declining multi-factor authentication, giving some people more access than they need, or failing to monitor logins. In this, many businesses still run the risk of user-side weaknesses in the event of business email compromise/phishing/spear phishing, business process compromise, and more.
In something that is surprisingly an option for many cloud vendors—as opposed to a standard feature—offer multi-factor authentication as an option. While one may think that this is a convenience issue, failing to enforce 2FA or MFA is a security issue.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).
How to Embrace This
Most cloud providers will require two- or multi-factor authentication. However, if they are leaving it as an option, you as a business leader need to enforce it. We recommend developing a policy within your organization to require any employee with access to company data—especially when it’s in the cloud—to use this to protect data.
Smarter Permissions Management
It’s a fact: Not everyone needs access to everything. One of the biggest weak points that could occur is when someone has access to something that they shouldn’t. IT departments often give non-technical executives (e.g. VP of Sales, CEOs, CFOs, etc.) broad privilege inside corporate applications, figuring it is better to give too much freedom to upper management than get yelled at when someone can’t create a report.
Many of the most avoidable breaches occur when someone with more access than they should falls for a phishing email, logs into the fake login page, and passes their information off to a hacker.
How to Address This
This one is a relatively simple fix: Only give broad permission to the ones that need it most. The fewer people who can fall for a scam or have their information (and the company’s information) compromised, the better.
Public Wi-Fi is not secure. Hackers can get access to the Wi-Fi server relatively easily, look for logins, and in turn use them as their own. In addition to this, those who are trying to get into your data are usually coming from a less-than-credible IP address.
How to Address This
If employees are working remotely, one of the first steps you need to take is to make them use a VPN, denying access to cloud applications if they are using a public Wi-Fi hotspot. In addition to this, it’s vital to manage the IP addresses from which someone can log into an application. For instance, you can prevent certain ranges of IP addresses from accessing an application at all, and flag those which may be unsafe or untrusted.
Businesses are leveraging the cloud for its easy access, speed, and security, but sometimes, it pays to take a step back and make sure that you’re doing the basics right. From forcing strong passwords to the tips listed above, know that there is value in security. If you’re looking to move your applications to the cloud, we’d love to help. Learn more about rinehimerbaker and our services, and contact us today.