New England Biz Law Update
According to technology company AAG, in 2015 30% of corporate data was stored in the cloud — the vast network of software and services that run on the Internet. In 2022 that number had doubled to 60% and is expected to continue to increase. By 2025, it’s believed the cloud will hold 200 zettabytes of data from all over the world.
“Ten years ago, everyone was terrified of the cloud,” said Reg Harnish, the CEO of OrbitalFire, a leading cybersecurity services provider specifically for small businesses. “Today we’re surprised if we see a customer who is not at least partially in the cloud.”
With the growth of cloud computing, we asked Harnish and other cybersecurity professionals to weigh in on how businesses can make sure their cloud setups are secure.
Harnish cautioned business owners not to make assumptions about the cloud and to understand that “the cloud is neither more nor less secure,” than traditional ways to store and access data, like a laptop or a server in one’s office.
If your business is entirely in the cloud, most of your controls and cybersecurity will move to contracts, Harnish said, which means you need to do due diligence to choose a third-party provider that is experienced, reliable, and has strong security and risk management in place.
“Remember that while you can outsource security, you can’t outsource accountability,” Harnish said.
Annette Warren is president of iSECURE a cybersecurity-focused company that utilizes intelligence, process, and experience to secure creative solutions for clients.
When it comes to cybersecurity Warren, who has worked in the technology industry for 25 years, stresses that a business’s size should not dictate security risk; bad actors are looking for easy targets despite company size or industry.
“Threat actors have become more sophisticated,” Warren said. “They are using more sophisticated tools and are much more targeted especially with phishing. It’s not a matter if a company needs a cybersecurity program, it’s how you are maturing it. Part of that maturing process is educating your users and nurturing a culture that values cybersecurity.”
When it comes to cybersecurity specifically related to the cloud, Warren says cloud assessments are an important factor in evaluating risk and that there are unique issues with cloud services versus on-premises.
“We find that there is a perception that if services are in the cloud that they are secure,” Warren said. “It’s important that a client understands that cloud providers offer security to a point.”
Third-party firms can help businesses strengthen and evaluate their cloud security in part by, “offering another set of eyes to determine where the gaps exist and to help address the areas of improvement,” Warren said.
Ben Wilcox is the CTO of ProArch, a global team of multidisciplinary experts in cloud, infrastructure, data analytics, cybersecurity, compliance, and software development. He says that nearly 100% of his clients also use the cloud to some degree to operate their business.
“One of the beauties of the cloud is that you can get to it anywhere,” said Wilcox, about what makes the cloud appealing to businesses. He also noted that the cloud allows some businesses to operate in a more cost-efficient manner because they can eliminate physical requirements like a brick-and-mortar office.
When it comes to securing your information within the cloud, “Security with cloud providers is a shared responsibility,” Wilcox said. “Choosing a reputable cloud provider and doing your due diligence is important.”
The most popular U.S. headquartered cloud providers used by businesses today are Amazon Web Services (the largest — with 34% of the market share per Technology Magazine), Microsoft Azure, Google Cloud Platform, Oracle Cloud, Salesforce, and IBM Cloud.
Wilcox notes that many of these bigger cloud providers have ways you can see how your security measures up via a security score. He recommends going through the security score process at least quarterly to make sure you are optimizing your security.
He also reminds businesses that cloud platforms are protected by user identity, so strong identity and access management tools must be in use, such as multi-factor authorization. He also recommends that privileged accounts (like administrators) be limited as much as possible and that information be encrypted when it’s at rest and being transmitted.
Maneesh Thammishettii is a consulting systems engineer with CyFlare, a computer and network security firm. He also recommends using encryption and strong authentication methods, such as unique passwords, to prevent unauthorized access to your business’s data in the cloud, as well as implementing access controls to restrict access to sensitive data.
Thammishettii also advocates choosing a reputable cloud service prover with security certifications, providing continuous security awareness training to employees to identify and prevent attacks such as phishing, and conducting regular security assessments and audits of your cloud setups.
Other tips from Thammishettii:
- Set up firewalls, web application firewalls, or zero-trust solutions to control and limit access.
- Keep software up to date with the latest security patches.
- Use antivirus and antimalware software.
- Set up regular backups for data recovery.
- Have a disaster recovery plan and test the plan at least once per year.
- Monitor cloud services for unusual activity.
