Storing your Data in the Cloud - Just the Start of an Information Security Program

As a leading information security firm, one of the most common statements we hear from existing or potential clients is... "we store our data in the cloud, therefore, we don't need to do anything else to secure our information."

While we agree that using the cloud is a good foundation for your organization to reduce risks to your data, it is only part of a responsible corporate approach to information security and is only a beginning to properly address the serious risks and the damages that a data breach can cause.

This short article outlines the shortfalls of only relying on storing your data in the cloud as your security program and lays out some other fundamentals required to truly protect your information.

What threats exist, even to data in the cloud?

Storing your data in the cloud does not address internal threats to your information

Wherever your data is stored, your organization must recognize that internal threats, whether non-intentional or malicious, are a real risk to your information. Some of the largest data breaches in Canada have occurred because of legitimate mistakes or malicious activities made by internal employees and contractors. Threats such as those outlined below help demonstrate that organizations must implement measures that go beyond solely storing their data in the cloud:

  • Mistakes made by employees due to a lack of training or awareness.
  • Disgruntled former and current employees.
  • Insufficient understanding of privacy legislation and obligations.
  • Corporate governance that does not monitor security activities or performance.
  • Soft or lack of processes for collecting, using, handling, and destroying information.
  • Lack of adequate information security policies.
  • Hardware that is not properly maintained or upgraded.
  • Lack of controls when onboarding contractors.

Your cloud-based data can still be hacked

A common misconception and false 'sense of security' is that information stored in the cloud can't be maliciously accessed or hacked by an outside source. In fact, a 2022 report produced by IBM (Cost of a Data Breach 2022 - A Million-Dollar Race to Detect and Respond) indicated that nearly half of data breaches in the United States happen to data that was stored in the cloud.

Access Control is still a threat

The basis for the development of an effective information / cyber security program is the CIA (Confidentiality, Integrity, and Availability) triad. Under this concept, a commitment to Confidentiality centers around the efforts of an organization to ensure data is kept secret or private. To accomplish this, access to information must be properly controlled to prevent the unauthorized access of data, whether intentional or accidental. Company information stored in the cloud is still vulnerable to attack if proper access controls are not implemented and maintained.

For example, serious gaps are created when a company grants staff unlimited access to all information or to information that they do not require access to. Best practice, even for data in the cloud, is to implement a 'need to know' approach and maintain named accounts, profiles and specific access to specific information stored either on-cloud or on-premises.

What else can my organization do?

  1. Arrange Training and Awareness Sessions for employees

Addressing internal vulnerabilities starts with implementing training and awareness sessions for managers, staff, and contractors to raise awareness of the topic of data security, how to recognize threats and what measures are to be followed. This training does not have to be extensive but should be mandatory for all personnel and should be delivered on a somewhat regular basis to keep up with new threats and trends.

  1. Invest in Developing Key Security Policies and Processes

At Castellan we believe one of the most prudent starting points is to establish a solid policy and procedural governance framework that will guide a consistent execution of your information security priorities and commitments. Some of the basic policies and processes include 1) an overarching organizational Information Security Policy that outlines your commitment to this priority and fundamental security measures, 2) Remote Work / Work from Home Policy, and 3) Technology and Equipment Usage Policy.

  1. Implement and Maintain Hardware such as a Firewall or Network Switches

While implementing security focused tools such as a firewall is a good start, security threats evolve day-by-day. What was safe yesterday may not be safe today. Hackers are constantly looking for vulnerabilities in any device that is exposed to the Internet, such as a firewall. A firewall is the gateway to an organization, it requires constant review and updating according to the manufacturer's recommendations. A hacker can easily find out what vulnerability a specific device has and thus be able to exploit. Once a firewall has developed a vulnerability a hacker will be able to access the entire organization and search for other vulnerabilities.

  1. Considering using a Security Operations Centre (SOC) Service to Actively Monitor your Data

As the costs and other damages of data breaches increase it is becoming more common for organizations to use services to actively monitor their data. These services are rapidly becoming more advanced and cost effective for small and medium sized companies. A SOC, is a team of IT security professionals that protects an organization by monitoring, detecting, analyzing, investigating, and reporting cyber threats on a live and ongoing basis. The SOC team uses advanced detection technology software to analyze activity, establish rules, identify exceptions, enhance responses, and keeps a lookout for new vulnerabilities.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information, please feel free contact us directly at info@castellaninformationsecurity.com

 


View More