Last reviewed 28 August 2018

Every small business is now using cloud services. However, many enterprises remain vulnerable. Understanding the potential threats and the practical action that can be taken to protect hosted data is vital, says Dave Howell.

As businesses move towards increasing quantities of sensitive personal data to the cloud, ensuring high levels of security are in place is critical. The rise in hosted services, particularly across the small business community, has meant a renewed drive to ensure these environments are secure.

According to the latest Cyber Security Breaches Survey, from the Department for Digital, Culture, Media & Sport (DCMS), over 4 in 10 businesses (43%) experienced a cyber-security breach or attack in the last 12 months. Three-quarters of businesses (74%) say that cyber security is a high priority for their organisation’s senior management. However, under 3 in 10 businesses (27%, versus 33% in the previous 2017 survey), have a formal cyber-security policy or policies.

Businesses that collect, store, process and exchange customer information are also having to pay close attention to the requirements of the General Data Protection Regulation (GDPR) that is now in force. A key driver here is the rise in awareness across the general public about how their personal data could be used in the wake of the Cambridge Analytical scandal. Businesses must be more sensitive to the security they need, in order to protect the data across their enterprises.

A clear understanding of the multifaceted approach that cyber attacks can take is vital for businesses. With this knowledge, strategic planning can take place to prevent or at least minimise the potential attacks that could take place, making good cyber security not just an IT exercise. Staff training to heighten their awareness and to change their behaviour to become more security aware, goes hand in hand with security protocols and systems that can be used to protect the cloud services a business is using.

The DCMS report concludes: “Cyber security is a high priority for most businesses and charities. Among businesses, there are also indications that senior managers are more regularly engaged with the topic than in the 2017 survey. At the same time, there is still a lot that organisations can do better. Just five in ten businesses (51%) have implemented all of the five basic technical controls under Cyber Essentials, comprising: boundary firewalls and internet gateways, secure configurations, user access controls, malware protection, and patch management (applying software updates).”

Minimising vulnerability

A wholesale move to cloud-based services has yet to take place. For many businesses, a hybrid approach is being used with some on-site data storage being supplemented with hosted services.

In this scenario having flexible cyber security is critical. In addition, research from McAfee concluded: “Managing the risk of storing sensitive data in the cloud means ensuring that the organisation first and foremost has visibility to it, both at rest and in motion. A focus on fundamental governance and technological steps, such as requiring departments and personnel to participate in asset identification, classification, and accountability helps build visibility.”

Personal customer data is certainly not the only cyber vulnerability. Small businesses in particular have embraced the cost savings and efficiency gains that hosted services offer, such as Google Docs, SalesForce, Office 365 and Amazon Web Services and thus, security has become important for organisational protection. The use of passwords is becoming increasingly unfit for purpose with tokenised multifactor authentication becoming more commonplace, as businesses realise they must have end-to-end security of their applications and data.

Often, small businesses will use either third-party security specialists, or rely upon the security that is offered by their cloud storage provider, or even the security protocols built into the hosted services they are using. Security applications that could be considered by your business include: Okta, Qualys, Zscaler and Centrify to name just a few. Taking advice from independent security advisers before committing to a service should be part of every business’s due diligence.

Your checklist

How an individual business manages its cloud security will depend on its particular use of hosted services and how it has organised the data it is storing. The general advice below can form the framework for your business’s specific application of cloud security.

Audit your security

In order to develop robust cloud security, you must have visibility on how your business currently manages its hosted services and the data they use. Look closely at the structured and unstructured data across your business. Try to understand how this is used and how the cloud interacts with this information. This planning stage is vital to develop a cloud-security approach that is right for your business.

Using standard security

Always ensure that the security you already have is switched on and fully configured. Firewalls on PCs and servers should be active. Check your systems are up to date with the latest versions of these applications. If your business has remote workers, using a Virtual Private Network (VPN) will ensure when they connect with your business or the cloud, they do so over a secure channel.

Accessing systems

Poor password creation and maintenance continues to be a major issue for all businesses. Educate your staff about what good password management means. Using password generators and be vigilant about the personal devices your staff may bring to work. Security on smartphones and tablets that can easily connect to your cloud services need specific security to be set-up and maintained.

Authorising access

Who can access which areas of your cloud services should be clearly defined. Permission should be granted to only those people that need this access which will minimise incidents of accidental data loss and, reduce the opportunities for cyber attacks to take place. Review your administrative accounts regularly to ensure they remain relevant to the people and access they need.

Defending your business

Protecting your systems from malicious attack requires the use of anti-malware and anti-virus applications. These should be present on all devices that connect to your cloud services to avoid any contagion. The important aspect of these applications is to keep them up to date, as they need to have the latest virus and malware definitions to be able to detect anything present on your network.

Cloud services are a great bonus that small businesses are reaping the most benefit from. Ensuring your company uses these services safely requires some common-sense approaches to data security and access, but also diligence with how IT systems are set-up, configured and importantly maintained, as cloud security is not a “set-up once and forget exercise”.