LOS ANGELES — As more companies adopt cloud services, it might be time to seriously consider how to protect your business’s data.
A new study from cyber security company Thales shows cloud services are one of the top ways a company could be vulnerable to a cyber attack. Thales’ 2019 Access Management Index surveyed 1,050 executives in 11 countries with responsibility for — or influence over — IT and data security.
“The rapid increase of cloud applications and services within organizations has brought many benefits, but these findings clearly show that without the ability to properly secure cloud-based services organizations are exposing themselves to unnecessary security threats,” the report says.
In 2018, there were 2 million cyber attacks with a 12% increase in business-targeted ransomware, leading to $45 billion in losses, according to the Online Trust Alliance’s Cyber Incident & Breach Trends Report. Due to the high number of cyber attacks, 94% of the companies surveyed changed their security policies within the last year, says the Thales study.
Cloud applications land just behind unprotected infrastructure — such as company communication and finances — and access through web portals as the main vulnerability points of cyber attacks. However, the cloud could become a bigger security risk in years to come.
François Lasnier, vice president of authentication and access management at Thales, says with the increased adoption of the cloud by businesses, “what used to be a small problem is now becoming a growing problem”.
Unlike traditional servers and other business infrastructures, cloud applications are often offered by third parties, meaning the company using the cloud cannot put its own protections around their data.
“Companies are now relying on assets and resources that are completely outside their own perimeter,” said Lasnier. “They cannot put a fence around it anymore because they do not own these assets.”
Most data is left unprotected by human error, not necessarily a cyber attack, says the OTA, and even then 95% of attacks are preventable if proper measures are taken.
Still, cloud servers are popular among employees wanting to work from anywhere using any device, and Thales says the answer is simple: access management.
Access management gives a company control over who has access to which content from specific devices. Lasnier says the key to having effective access management is to have a “flexible and adaptable” policy, meaning setting different parameters when it comes to different situations.
For example, an employee using a company computer on a company network can sign on to the cloud application using just a username and password; but if they use a personal computer or are outside the company’s network, they have to use more or different credentials in order to confirm their identity.
According to Thales’s report, the most popular and recommended access management tools are two-factor authentication, bio-metric authentication and smart single sign-on. Two-factor authentication is the most popular tool, used by 58% of the businesses surveyed, and require both official credentials in addition to confirmation of identity — such as a texted code — before logging on to the company’s site. Bio-metric authentication uses identifying factors such as fingerprints to access company information and is used by 47% of companies surveyed.
Smart single sign-on is a rising trend is access management and has increased 46% among the businesses surveyed by Thales in the last two years. Smart single sign-on allows users to just use one identification, such as a username and password, to access all cloud applications. Thales says it has become a popular tool because it eliminates “password fatigue, frustration, password resets and downtime while ensuring that access remains secure at all times.”
Access management tools are often available with cloud services and apps and don’t require a “project” from the company to develop and use, says Lasnier. His advice is to start small by protecting one application, then expand to more applications once you get comfortable.
Businesses are being targeted by cyber attackers using a variety of methods varying from obvious ransomware attacks that shut out the company from its own data unless they’re willing to pay to get it back to the more stealthy cryptojacking — or installing programs to mine cryptocurrency secretly using the computing power of another’s computer. The mining software is downloaded unknowingly the user through phishing emails or advertisements, slowing down the computer’s processing and making it die faster. Although cryptojacking doesn’t aim to take money directly from its victim, it costs them indirectly to replace their device once it’s no longer functioning properly due to the hidden mining.
One effective method of cyber attacks on companies is business email compromise, which is a form of spoofing used to steal money from companies. Hackers pretend to be either someone within the company asking to transfer money to a vendor for what is assumed to be a legitimate business, but instead, the money is sent to the hacker and the money is lost. This practice has doubled in the last year, resulting in $1.3 billion in losses, according to OTA’s report.
Jeff Wilbur, technical director at OTA, says even though the report shows different trends of cyber attacks, the majority of the attacks can be blocked using the same procedures.
“Even though the attack types and what the criminals are doing does shift over time, the basic rules on how to prevent it doesn’t change,” said Wilbur.
Here is what Wilbur suggests:
- Use unique, strong passwords: Wilbur suggests using a different password for every service, so if one account is hacked, the same password can’t be used to hack into more services. He also suggests using multi-factor authentication.
- Keep software updated: Wilbur says a lot of businesses and governments are vulnerable to cyber attacks because their software is outdated, but can easily protect themselves by updating it with protective patches. The city of Baltimore fell victim to such an attack earlier this year, and it is estimated to cost them over $18 million to recover.
- Back up data: Putting company data in a place that is not connected to its main storage can help your business recover from a cyber attack. Since most ransomware wants to make you pay for your data, you will not be held hostage and can resume business if your data is backed up to a secondary location.
- Be careful with email: Even if you think you know the person, verify that it’s really coming from their email address and don’t click on links or open attachments unless you’re sure. Wilbur estimates 90% of attacks start from emails.
- Regularly scan your devices and network for infections: Wilbur says vigilance is necessary to ensure you are safe and criminals aren’t making their way around your network undetected.