Recent UK Government statistics found that nearly half of all UK businesses suffered a cyber breach or attack in the past 12 months. Firms holding personal data and processing money are top targets. With an average cost to the business of £3,000 for medium business and £19,000 for larger ones, the most common attacks were fraudulent emails, followed by viruses and malware.
Seven in ten large businesses identified a breach
The survey also revealed that nearly seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions.
Medium and large companies tend to be better prepared to deal with cyber security (although this is not always the case) than smaller enterprises, however there are still areas of confusion and complacency.
The area I want to focus on in this post is cloud security, as many modern businesses no longer manage their own physical server infrastructure, instead opting for cloud services.
Who is responsible for cloud security?
Many assume that their cloud provider – such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud – is responsible for their security. This assumption is wrong. They are simply facilitators in terms of IT infrastructure. One has to distinguish between managed and unmanaged services.
Yes, AWS is responsible for the global security of the entire cloud infrastructure, but they make it very clear that their clients are still individually responsible for securing their own data. So what does this mean?
Often, IT teams incorrectly assume that because they have a trusted third party in charge of their infrastructure, that vendor will also manage security. Like the small businesses who assume that their web developer is on top of security, large business often assume that the public cloud is secure and that this is managed by their vendor.
Of the cloud and in the cloud
In general, the cloud as an overarching entity is very secure. However – AWS clearly states that it will address “security OF the cloud” – compute, storage, database, networking, and global infrastructure. Amazon is responsible for the physical security and the hosts servers, so called hypervisors, but they are not responsible for your network or your own server instance.
However, it is the customer who is 100% responsible for “security IN the cloud” instance – data, apps, identity management, OS, network and firewall configuration, network traffic, server-side encryption, and client-side data.
This is an important distinction – think of it as a property management company being responsible for the common areas of an apartment development, but the individual owners being responsible for locking their own doors and windows and to whom they give keys or access to their houses.
Spotting vulnerabilities
We recently did an assessment of the digital assets of an international law firm. At first pass, the firm appeared to have a clean bill of health – they used AWS, their servers were in the US, and the website was secure.
On further analysis, we discovered a major vulnerability. Their site was hosted on a shared server operated by their web designer and the hosted server could have been compromised even though the hosted site was fairly safe. This could have led to the website being maliciously hacked by attacking the host’s server rather than the site itself, and thereby taken down. The situation arose because of some incorrect assumptions about whose responsibility it was to secure the site.
Concrete suggestions for larger organisations
- Make you know who is responsible for your security, in the cloud. Challenge your assumptions and don’t be hesitant to ask seemingly stupid questions!
- During system/server provisioning and setup, apply at least the basics of hardening in your environment. Keep your system patched and up to date.
- As Bruce Schneier, security expert, notes “the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.”
- Remove unused services from your server and restrict access to those services where there is no need for a public interface (anything outside of http(s) basically).
- Always grant the minimum required privileges for your users/employees. Know what your ‘Data Crown Jewels’ are – any access to sensitive data should be tightly controlled. This sensitive data should only be accessible to employees that absolutely need it as a part of their job, in the moment they need it.
- Install, maintain and update antivirus, anti-malware and firewall software for desktop and mobile.
This may be too much for your own IT team to handle, so consider booking a security health check with a reputable provider. There are great resources put together by the UK National Cyber Security Centre and the Cyber Essentials Programme.