Cloud computing is everywhere. You probably don’t think about it all that much, but most of the platforms and software you use will be hosted in the cloud. However, while cloud-based platforms are generally the safest around, there are extra steps you can take to protect your business. Here are our top 5 tips for improving your cloud security.

1. Use Multi-factor authentication 

Multi-factor authentication (MFA) is an authentication tool that requires you to provide two or more verification methods to sign into an application. Rather than just asking for a username and password, MFA adds some extras. For example,  a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information only you know.

You’ve probably already used MFA plenty in your day-to-day life. Many applications now require it and we’re well on the way to it being a near-universal security tool.

This is happening for a very good reason. Strong passwords are important, but they aren’t infallible. A well-orchestrated brute force attack could still find a way through. In contrast, MFA is incredibly difficult for a cybercriminal to crack without access to your phone, fingerprints or deeply personal information.

Moreover, under the new Cyber Essentials requirements, MFA should always be used for accounts connecting to cloud services. 

Want to know more about the cyber threats small businesses face? Check out our guide.

2. Manage user access carefully

It’s likely you’re already doing this with some of the cloud-based software you use. After all, who pays for licences they don’t need? However, as a general rule, it’s important to give your staff access to all the resources and data necessary for their roles, and no more.

There are two key reasons for this. Firstly, it reduces the risk of someone editing or deleting important information by accident. But, more importantly, it protects you from hackers who have stolen an employee’s credentials.

Practising proper segregation of user accounts limits the damage any successful breach can cause. To learn more about how to do that, check out our blog on admin users. 

3. Create a comprehensive off-boarding process

It’s never nice when a colleague leaves, especially if it’s not on good terms. But however staff leave, you need to make sure they no longer have access to cloud platforms, systems, data and customer information.

Of course, it’s unusual for employee off-boarding to go dramatically wrong, but that doesn’t mean you shouldn’t take precautions. Too many businesses leave the process weeks or even months after an employee has left, or forget altogether. 

This is a big security risk. By failing to cull access permissions for former employees, you’re losing control over who can access your systems and data, and potentially giving cybercriminals an easy route into your business.

To prevent the worst, you’ll need a systematic process for ensuring all access rights are revoked. This can be tricky as most employees will have access to a range of applications and platforms. So, to make it a simpler process, keep an up-to-date list of who has access to what. And, if you don’t have the bandwidth to do so in-house, there are plenty of tools available to automate the process.

4. Consider a cloud-to-cloud backup service

As we’ve mentioned, a direct breach of any cloud platform you use is unlikely (though not impossible). Nevertheless, the risk to your data from human error is high. Some 90% of all breaches start with some form of human error.

The problem is, should a cybercriminal corrupt your data or an employee delete something, most cloud platforms will only keep backups of deleted data for a specific period. This can range from days to months. So as well as checking with the provider what its policy is, it could be worth having a reserve option.

Many providers offer regular cloud-to-cloud backup services. And, it’s an option well worth considering for particularly important or sensitive data. 

5. Provide regular security training for employees

If you’ve read any of our blogs before, you’ll know we really hammer home the importance of staff training. Cloud platforms typically have very good defences, meaning the most likely way a hacker will bypass them is by stealing employees’ login credentials. This will usually happen through a social engineering attack, such as phishing.

The best way to counter this is with regular security training. That way, your people will be able to recognise potential threats and avoid them. There’s no such thing as one-size-fits-all security training. What the training looks like will depend on your staff and their knowledge gaps. 

However you do it, keep it regular, useful, and engaging. For more on how to get started, we recommend reading our blog on security training.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

Coronavirus has the potential to change the world of work forever.

Unless you’ve spent the last few months consciously avoiding the media, chances are you’ve read that sentence a lot. From morning talk shows to breathless newspaper op-eds, it feels like everyone is talking about the society-wide shift to working from home.

But what started as a necessary evil that many businesses adopted reluctantly has turned into something else. First came announcements from Twitter and Facebook that employees would be allowed to ‘work from home forever’ if they chose. This was followed by a host of other businesses including Google, Amazon, JPMorgan, Captial One, Slack, Salesforce, Microsoft and PayPal extending their work-from-home options.

Why is this happening?

Well, it’s actually very simple. An increasing number of businesses are seeing the real benefits of a more permanent shift to remote working.

Why rent office space for 300 people when you could use a smaller venue for essential meetings at half the cost? Why insist staff make long commutes into the office, when they’re happier and more productive working from home? 

For many organisations, the COVID-19 pandemic has turned these questions from water cooler conversations into key pillars of business strategy. 

If your business is considering making the switch to permanent remote working, are you prepared for the risks you should be aware of? And, how can you overcome them and ensure your people are working safely? 

What risks does working from home present? 

While switching to remote working offers benefits in productivity and real estate savings, it also comes with some risks. Here are a few of the most common. 

Unsecured personal devices 

The first question to ask is: can you be sure your people will follow the same security protocols they would in the office? The networks and security tools your staff use at home are likely to be far less secure than those in the office. Home office networks are 3.5 times more likely than corporate networks to be infected by malware, according to a report from BitSight. 

There may even be a psychological element to this. As ZDNet has reported, 52% of employees believe they can get away with riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. 

Lack of remote-working policies and procedures

Part of the reason employees are exposing themselves to risk at home is simply a lack of knowledge of these risks. The COVID-19 pandemic developed so quickly that many businesses didn’t have time to put in place clear policies and procedures for working from home so employees were literally left to their own devices.

This makes cybersecurity a bit of a guessing game, particularly for the less security-literate of your staff. 

Heightened risk of attack

Cybercriminals are smart but they’re largely opportunistic. And it hasn’t taken them long to figure out that switching to remote working has made businesses vulnerable.

VMWare’s recent Global Threat Report, reveals that 91% of global respondents have seen an increase in cyber attacks as a result of employees working from home. Meanwhile, the proportion of attacks targeting remote workers increased from 12% of all email traffic in March to 60% just six weeks later. 

91% of organisations have seen an increase in cyber attacks as a result of employees working from home.

Keen to exploit our hunger for coronavirus updates, cybercriminals have set up thousands of COVID-19-related ‘news’ sites. These double up as hosts for malware and domain names to launch phishing attacks from. Without the robust controls deployed by most corporate networks, it’s incredibly easy for people working from home to fall into the trap. 

The other area cybercriminals are targeting more regularly is VPNs. VPNs have long been a weak point for cybersecurity. They were only ever intended for small numbers of workers to use occasionally, not whole companies all the time. As a result, many VPNs are insecure and provide cybercriminals with a much wider ‘attack surface’ with which to launch threats. 

Reliance on the Cloud

We talked about some of the potential issues with cloud storage in a recent blog and, while it’s the safest option for businesses, it’s not invulnerable to attack. 

Working from home naturally increases your reliance on the Cloud. And this isn’t necessarily a bad thing. However, cybercriminals are becoming better all the time at breaking through providers’ defences and intercepting data as it moves between employees’ devices and the cloud. 

How can you overcome these risks? 

We’ve tackled some of the risks involved in switching to working from home, so what can you do about it?

Provide clear policies and encourage communication

This is the most important step on this list. If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow. If you don’t have a remote working security policy, now’s the time to draft one.

Alongside this, work to foster a culture of communication. That way, employees will feel comfortable asking for help with anything they don’t understand and reporting anything suspicious to internal security teams. All too often, security mistakes are made because staff feel ‘silly’ raising their concerns. 

Ensure the right security is in place 

Many of the most common threats can be prevented simply by ensuring your people have the tools they need. Check that all corporate-owned or managed devices are equipped with the best security capabilities. Also, make sure that the security best practices you’d use in the office are extended to the home environment. 

Maintain good password hygiene

Set up a password policy and ensure everyone follows it. Employees should always use complex passwords and two-factor authentication, as well as change passwords regularly. 

Make sure software is up to date

Your employees should regularly install updates and patches for the software on their devices, no matter how much they might enjoy not restarting their laptop for months on end. 

Keep it professional

Encourage your workers to keep work devices for work and personal devices for everything else. Limiting the number of sites employees visit can limit the risk of attack. 

Secure Wi-Fi access points

Network gateways are an underappreciated aspect of good cyber hygiene. Most of us don’t think much about our WiFi once it’s up and running. However, changing the default settings and passwords on a router can reduce the potential of attack from connected devices.

Understand the risks

Hopefully, this article has been some help in identifying some of the risks remote working presents. But it can’t be stressed enough that understanding the risks is key to preventing them. IT teams need to identify the most likely areas of attack and prioritise the protection of areas of your business that cybercriminals could do the most damage to. 

Although the switch to working from home comes with difficulties, it’s also a golden opportunity to remould the way your business functions. Alongside, the obvious real estate savings, remote working promises happier employees, more productive work and greener business practices. Don’t let poor cybersecurity stand in the way of your business embracing the future. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Cloud storage has become an indispensable part of modern business. Yet despite the cost savings, ease-of-access, and reliable data backup it offers, some people still don’t trust the Cloud. Why not? And, do they have a point?

Why are people concerned about cloud security?

It comes down to control. When you upload files to a cloud, you aren’t saving them locally to an internal server. Instead, you’re sending potentially sensitive data to another company, one that could be hundreds or even thousands of miles away, and entrusting them to keep it safe. This might sound obvious, but for some businesses, this loss of direct control is a real concern.

Looking to better protect your business? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity. 

What are the risks?

Are businesses right to be worried about losing direct control of their data? What are the risks associated with using cloud storage?

Security

The big cloud providers – Microsoft, Google, Apple, and Amazon – spend billions of dollars on their security each year and have some of the best defences around as a result. However, that doesn’t mean they’re infallible.

The most determined cybercriminals find a way around even the tightest defences, whether that’s through guessing security questions or cracking passwords. Even the biggest providers aren’t immune to these approaches as the infamous Apple iCloud hack of 2014 and 2019’s Facebook data breach revealed.

Alongside potential breaches of cloud providers’ infrastructure, there’s some risk involved in the process of just getting your data up into the cloud. For example, let’s say you’re using Google Docs as part of your cloud package. A hacker could potentially intercept your data as it moves between your device and the cloud. Provided you’re working with a reputable cloud provider it’s unlikely, but the risk remains.

Privacy

The other major cybersecurity risk involved in using the cloud is privacy. Even if your data isn’t stolen it could still be viewed both by employees of the cloud provider and government agencies. Governments can legally request data stored by cloud providers and it’s up to each company as to whether they comply.

Although you’ll often hear people trot out the old adage ‘if you’ve got nothing to hide, there’s nothing to worry about’, the possibility of sensitive documents being read by third parties is a valid concern. 

Do the risks outweigh the benefits?

So, do the risks of storing your data in the cloud outweigh the benefits?

In short, no. To illustrate why, ask yourself whether sensitive documents and information would be safer stored locally on company-owned servers or devices? Invariably, the answer is no. 

Consider the typical IT infrastructure within a small business. It’s often housed in the same building employees work and is accessible by anyone who works for the company. This not only makes the job of cybercriminals far easier but it also increases the likelihood of a data breach due to human error.

Now contrast that with a large cloud provider. Cloud servers are housed in huge, well-guarded data centres, often far off the beaten track and a long way from providers’ central offices and staff. What’s more, the data in those servers is usually protected with complex encryption, making hacking it extremely difficult.

As for privacy, it’s again worth asking yourself a couple of questions. Firstly, would your company object to a cloud provider’s staff viewing sensitive data for troubleshooting purposes? If the answer is ‘no’, then there is little to fear. Cloud providers generally won’t view the data they store for any other reason.

Secondly, were a government agency to request access to business data would you be likely to refuse? Again, if not, there’s little difference in privacy between storing your data onsite or in the cloud. 

The verdict 

The cloud isn’t perfect. It’s far from completely secure and it’s increasingly becoming the number one target for cybercriminals who realise this. However, it is by far the best data storage option available to businesses. 

It offers a level of security sophistication streets ahead of anything a small business could afford. It’s cost-effective, allowing you to store masses of data for very little money. And, it allows your people anytime, anywhere access to the files and applications they need.

Of course, if you are concerned about the security of your cloud storage, there are extra precautions you can take. Consider setting up encryption (more on which here), two-factor authentication and implementing a strict password policy for an extra layer of protection.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.