Cloud computing is an essential component of today’s digital landscape. IT infrastructure, platforms and software are more likely to be delivered today as a service (hence the acronyms IaaS, PaaS and SaaS, respectively) than in a traditional on-premises configuration. And this appeals to small and medium-sized businesses (SMBs) more than most.
Cloud provides an opportunity to level the playing field with bigger rivals, enabling greater business agility and rapid scale without breaking the bank. That may be why 53% of global SMBs surveyed in a recent report say they’re spending over $1.2m annually on the cloud; up from 38% last year.
Yet with digital transformation also comes risk. Security (72%) and compliance (71%) are the second and third most commonly cited top cloud challenges for those SMB respondents. The first step to tackling these challenges is to understand the main mistakes that smaller businesses make with their cloud deployments.
The top seven cloud security mistakes that SMBs make
Let’s be clear, the following aren’t just mistakes that SMBs make in the cloud. Even the biggest and best resourced enterprises are sometimes guilty of forgetting the basics. But by eliminating these blind spots, your organization can take massive strides towards optimizing its use of cloud, without exposing itself to potentially serious financial or reputational risk.
1. No multi-factor authentication (MFA)
Static passwords are inherently insecure and not every business stick to a sound password creation policy. Passwords can be stolen in various ways, such as via phishing, brute-force methods or simply guessed. That’s why you need to add an extra layer of authentication on top MFA will make it much harder for attackers to access your users’ SaaS, IaaS or PaaS accounts apps, thus mitigating the risk of ransomware, data theft and other possible outcomes. Another option involves switching, where possible, to alternative methods of authentication such as passwordless authentication.
2. Placing too much trust in the cloud provider (CSP)
Many IT leaders believe that investing in the cloud effectively means outsourcing everything to a trusted third party. That’s only partly true. In fact, there’s a shared responsibility model for securing the cloud, split between CSP and customer. What you need to take care of will depend on the type of cloud service (SaaS, IaaS or PaaS) and the CSP. Even when most of the responsibility lies with the provider (e.g., in SaaS), it may pay to invest in additional third-party controls.
3. Failing to backup
As per the above, never assume that your cloud provider (e.g., for file-sharing/storage services) has your back. It always pays to plan for the worst-case scenario, which is most likely to be a system failure or a cyberattack. It’s not just the lost data that will impact your organization, but also the downtime and productivity hit that could follow an incident.
4. Failing to patch regularly
Fail to patch and you’re exposing your cloud systems to vulnerability exploitation. That in turn could result in malware infection, data breaches and more. Patch management is a core security best practice which is as relevant in the cloud as it is on-premises.
5. Cloud misconfiguration
CSPs are an innovative bunch. But the sheer volume of new features and capabilities they launch in response to customer feedback can end up creating an incredibly complex cloud environment for many SMBs. It makes it much harder to know what configuration is the most secure. Common mistakes include configuring cloud storage so any third-party can access it, and failing to block open ports.
6. Not monitoring cloud traffic
One common refrain is that today it’s not a case of “if” but “when” your cloud (IaaS/PaaS) environment is breached. That makes rapid detection and response critical if you are to spot the signs early on, to contain an attack before it has a chance to impact the organization. This makes continuous monitoring a must.
7. Failing to encrypt the corporate crown jewels
No environment is 100% breach proof. So what happens if a malicious party manages to reach your most sensitive internal data or highly regulated employee/customer personal information? By encrypting it at rest and in transit, you’ll ensure that it can’t be used, even if it is obtained.
Getting cloud security right
The first step to tackling these cloud security risks is understanding where your responsibilities lie, and which areas will be handled by the CSP. Then it’s about making a judgement call on whether you trust the CSP’s cloud native security controls or want to enhance them with additional third-party products. Consider the following:
- Invest in third-party security solutions to enhance your cloud security and protection for your email, storage and collaboration applications on top of the security features built into cloud services offered by the world’s leading cloud providers
- Add extended or managed detection and response (XDR/MDR) tools to drive rapid incident response and breach containment/remediation
- Develop and deploy a continuous risk-based patching program built on strong asset management (i.e., know what cloud assets you have and then ensure they are always up to date)
- Encrypt data at rest (at the database level) and in transit to ensure it is protected even if the bad guys get hold of it. This will also require effective and continuous data discovery and classification
- Define a clear access control policy; mandating strong passwords, MFA, least privilege principles, and IP-based restrictions/allow-listing for specific IPs
- Consider adopting a Zero Trust approach, which will incorporate many of the above elements (MFA, XDR, encryption) alongside network segmentation and other controls
Many of the above measures are the same best practices one would expect to deploy on-premises. And at a high level they are, although the details will be different. Most importantly, remember that cloud security isn’t just the responsibility of the provider. Take control today to better manage cyber-risk.
In order to learn more about SMBs’ perceptions of cybersecurity, including about where the growing security needs are driving them, head over to the 2022 ESET SMB Digital Security Sentiment Report.