Kroll

Cloud cover

Written by: Alexander Garrett Posted: 25/01/2021

BLDigital_cloud illoThe benefits of using the cloud to host your business’s data and information are well established, But there are plenty of steps that firms should take to ensure a smooth transition to the cloud – and that their data remains safe once there

Threats to our data and personal information can sometimes feel like something that only concerns other people – something we hear about on the news occasionally or from a friend of a friend at a dinner party.

But anyone doubting the risk to their data from malicious cyber attackers in the Channel Islands received a stark warning on 25 November, when the States of Guernsey announced it had been targeted by “a sophisticated and potentially serious cyber-attack”. 

The ‘phishing’ attack, said the States, “sought to overwhelm government email systems and prevent the States from being able to use email. It temporarily blocked emails from gov.gg accounts to Microsoft and Yahoo email accounts” in an attempted denial of service. 

Fortunately, the matter was resolved in less than 48 hours, with email back up and running and no loss of data. 

Protecting against such attacks has become one of the highest priorities for businesses and organisations of every size. The ongoing migration of many IT services to the cloud, as well as cloud-based data storage, heightens that focus – and poses new questions too.

In the early days of the cloud, the idea of storing your data on a remote server was seen by many as a security risk. 

But for most organisations, that’s no longer the case, says James Kelsh, Senior Information Security Consultant at Resolution IT in Guernsey.

“It shouldn’t be a barrier at all. When you move to the cloud, you are simply transferring your security risk from in-house to a third party. It just means you have to make your own cloud assessments and decide you are able to secure your data as you would if it was sitting behind your own firewall.”

The right mix

The cloud does pose some issues for businesses. “You can access your data all over the world 24/7, 365 days a year. But that means malicious actors can too,” says Kelsh. “So you have to make absolutely sure that only the right people get access.”

On the plus side, however, cloud providers will cover a significant part of your security needs, which will typically include regular maintenance – such as security patches and software updates – carried out automatically.

“For companies whose in-house capability has limited experience, time and budget, it does make good sense to go to a provider such as Amazon, Microsoft or Google, for whom the latest security is all part of the service,” adds Richard Field, Partner at law firm Appleby, who specialises in data protection and is a member of the Digital Guernsey panel. 

Caroline Honeycombe, a Jersey-based Manager in Deloitte’s Cyber Risk Services practice, adds: “Some of the big cloud providers have security features that can also cover small businesses that are in a hybrid state – with some of their services and data still on-premise alongside those on the cloud. 

“By utilising some of these security features, you’ve now got coverage over your on-premise infrastructure that you may not previously have had. You may not have had visibility of risks, and now, by going on the cloud, you can take advantage of having that.”

But businesses can seldom afford to hand over all their security to their cloud provider. For one thing, local knowledge of your system architecture can be vital to mitigating risks such as mis-configuration. 

Honeycombe explains: “A classic example of mis-configuration is where you have a server for something internal that is actually touching the internet but you didn’t realise it. An attacker could gain access through a particular port, so it’s vital you have the correct logging and vigilance to detect that threat.”

The right provider

Companies also need to properly assess their cloud providers, and to consider what data or systems they are prepared to assign to the cloud. 

Field says: “We had a client recently who was hosting everything on their own servers and then chose to store elements of their datasets in the cloud. 

“They chose to have a test run of some anodyne data, not current and not special category. They’ll now see how that works, and if that goes well they’ll move other data in due course.”

Inadequate security leaves firms vulnerable to multiple risks. Data loss, data theft and denial of service are just three. A more recent development is ‘cryptojacking’, where your server and processing power are taken over to mine for bitcoin. 

The form of the actual attack is most commonly a ‘phishing’ email sent to glean one user’s login information, after which their account can be hijacked. 

“Any large-scale incident has usually stemmed from a phishing attack,” continues Honeycombe. “What’s probably happened is that a user has clicked on the malicious link and given away their username and password, which the attacker can use to log in to the account, or they have clicked on a malicious link and downloaded malware.” 

BLDigital_cloud illo2With either method, she explains, malware is uploaded that can laterally move around in the system, escalate privileges and go from being a ‘user’ within the system all the way up to being an administrator. It can go from infecting one user’s laptop to infecting entire servers. 

These attacks often start by targeting the most commonly used cloud-based software, such as Office 365, and the onus is firmly on the user to prevent them happening. 

The first line of defence, says Field, should be encryption. “If you are putting data into the cloud, our standard view is to tell people to encrypt it,” he says. “There’s always that risk when it’s in transit that somebody might somehow tap into it. And if someone does gain access then it’s effectively unreadable.” 

Access controls are arguably even more important: removing weak passwords and enabling two-factor authentication as standard. But even two-factor authentication isn’t 100% safe, says Kelsh. “If you are using weak secondary factors, such as an SMS message, you need to be looking at introducing third-factor authentication opportunities, such as biometrics,” he says. 

“You start with a password, something you know; then add a phone as the secondary factor, which is something you own. The third factor is something you are: your retina scan or your fingerprints.”

Training for security

End-user training is another key element to moving to the cloud: training people not to click on potentially malicious links, and to think twice before opening external emails, for example. 

And then there’s detecting threats before they occur. “Security monitoring needs to be proactive rather than reactive,” says Honeycombe. “A lot of the time we see businesses in a more reactive state. Those are the ones that then get hit by cyber-attacks.”

A range of tools are available to help businesses take a more proactive approach to detecting threats and responding to them – security information event management (SIEM); security orchestration, automation and response (SOAR); and manage, detection and response (MDR). 

The latest endpoint detection and response tools can even spot patterns of suspicious behaviour rather than just already identified viruses or malware – and help mitigate the threat that way.

In terms of any resistance to cloud adoption, data residency is one issue that may have stymied complete adoption of the cloud in the Channel Islands. 

For professional firms – especially those that are regulated – there has often been a desire to keep data close at hand, within the islands, to ensure it can’t be accessed by overseas regulators, for example. But that is now a largely defunct viewpoint, says Richard Field.

“The attitude that if we put our data in the Channel Islands, then nobody will be able to get hold of it, is not only wrong but an outdated mindset. 

“The islands have long been transparent in terms of law-enforcement and regulatory authorities – our local FIS and regulators are used to responding to requests from foreign law enforcement or similar agencies. If they approach through the proper channels, with the correct paperwork, they will get hold of that information anyway.”

Regulators are increasingly endorsing the cloud – even using it themselves. What they do require, however, is thorough risk assessments to be carried out before you migrate your data, as with adopting any piece of new technology. 

With its manifold benefits, few doubt that the cloud will continue its onward march and, for many businesses, become the normal way of hosting much of their data and systems architecture. 

By the same token, nobody expects the security threat or the level of ingenuity displayed by cyber attackers to do anything other than grow either. 

What’s clear is that, for those willing to move into the cloud, having a comprehensive and well-defined cyber security strategy will be essential. 

This feature was first published in the Digital Edition of Businesslife in December 2020


Add a Comment

  • *
  • *
  • *
  • *
  • Submit

Our Magazines

Issue 1 - Feb/Mar 2009Issue 2 - Apr/May 2009Issue 3 - Jun/Jul 2009Issue 4 - Aug/Sep 2009Issue 5 - Oct/Nov 2009Issue 6 - Dec 2009/Jan 2010Issue 7 - Feb/Mar 2010Issue 8 - Apr/May 2010Issue 9 - Jun/Jul 2010Issue 10 - Aug/Sep 2010Issue 11 - Oct/Nov 2010Issue 12 - Dec 2010/Jan 2011Issue 13 - Feb/Mar 2011Issue 14 - Apr/May 2011Issue 15 - Jun/Jul 2011Issue 16 - Aug/Sep 2011Issue 17 - Oct/Nov 2011Issue 18 - Dec 2011/Jan 2012Issue 19 - Feb/Mar 2012Issue 20 - Apr/May 2012Issue 21 - Jun/Jul 2012Issue 22 - Aug/Sep 2012Issue 23 - Oct/Nov 2012Issue 24 - Dec 2012/Jan 2013Issue 25 - Feb/Mar 2013Issue 26 - Apr/May 2013Issue 27 - Jun/Jul 2013Issue 28 - Aug/Sep 2013Issue 29 - Oct/Nov 2013Issue 30 - Dec 2013/Jan 2014Issue 31 - Mar/Apr 2014Issue 32 - May/June 2014Issue 33 - July/August 2014Issue 34 - September/October 2014Issue 35 - November/December 2014Issue 36 - January/February 2015Issue 37 - March/April 2015Issue 38 - May/June 2015Issue 39 - July/August 2015Issue 40 - September/October 2015Issue 41 - November/December 2015Issue 42 - January/February 2016Issue 43 - March/April 2016Issue 44 - May/June 2016Issue 45 - July/August 2016Issue 46 - September/October 2016Issue 47 - November/December 2016Issue 48 - January/February 2017Issue 49 - March/April 2017Issue 50 - May/June 2017Issue 51 - July/August 2017Issue 52 - September/October 2017Issue 53 - November/December 2017Issue 54 - January/February 2018Issue 55 - March/April 2018Issue 56 - May/June 2018Issue 2018 - City Edition - 2018Issue 57 - July/August 2018Issue 58 - September/October 2018Issue 59 - November/December 2019Issue 60 - January/February 2019Issue 61 - March/April 2019Issue 62 - May/June 2019Issue 63 - July/August 2019Issue 64 - September/October 2019Issue 65 - November 2019 - January 2020Issue 66 - February/March 2020Issue 67 - April/May 2020Issue 68 - June/JulyIssue 69 - August/SeptemberIssue 70 - October/NovemberIssue 71 - December/JanuaryIssue 72 - March/AprilIssue 73 - May/June/JulyIssue 74 - August/September/OctoberIssue 75 - November/December/JanuaryIssue 76 - February/March 2022Issue 77 - April/May 2022Issue 78 - June/July 2022Issue 79 - August/September 2022Issue 80 - October/November 2022Issue 81 - December/January 2022/23Issue 82 - February/March 2023Issue 83 - May/June 2023Issue 84 - July/August 2023Issue 85 - October/November 2023View more

Special Editions

Issue 1 - 2018Issue 2 - 2019Issue 3 - 2020Issue 4 - 2020Issue 5 - 2021Issue 6 - 2021Issue 7 - 2022View more
Kroll

Most Read News

Guernsey stays top for captives ..

29 February 2024

2022 Top Trust Companies ranking ..

04 November 2022

IQ-EQ names Head of Private Wealth ..

20 February 2024

Crestbridge names Europe Director ..

28 February 2024
Kroll

It's easy to stay current with blglobal.co.uk.

Just sign up for our email updates!

Yes please! No thanks!