Cloud storage presents many benefits for the convenient availability of data, but confidentiality risks should be considered at all times. In the unfortunate event of a data breach, businesses are required to prove they had substantial Information Security measures in place to have avoided it; otherwise they could face prosecution and hefty fines.
Figures from the Information Commissioner’s Office (ICO) are showing that monetary penalties for breaching the Data Protection Act (2018) or the General Data Protection Regulation (GDPR) are only going up. The total fines issued by the ICO since 2014 are:
2018 – £6,339,000
2017 – £3,977,500
2016 – £3,059,000
2015 – £2,216,250
2014 – £1,152,500
When we talk about Information Security, we are referring to the requirements for confidentiality, integrity and availability of your Information Security assets.
Dale Rollinson, Consultant at QMS International
Here are five tips to tighten your cloud security, starting immediately:
1. Use better passwords
Computer systems are usually secure. It’s often human behaviour that carries the greatest IT risk. Allowing employees to share logins or use basic, commonplace passwords lowers one of the key areas of defence against hackers or thieves who have illegally obtained your computer equipment.It is vital that your IT department has a password policy, which is regularly checked, to ensure users update their password periodically and do not use shared or generic passwords.
In situations where users have to remember many passwords for different systems, it is often beneficial to use a password management system such as 1passwordor keepass. Password management systems allow users to store login credentials in encrypted files, which can then be accessed as needed. Using similar systems grants your IT administrators the ability to enforce password policies such as regular changes and unique strings of characters.
2. Archive your data
Many companies assume that their data is safe, simply because it is being backed up. However, this does not protect valuable information from user errors, such as overwriting or deleting files.
We often hear the industry focusing on the problem of technical IT storage failures, but 63% of all data losses are actually caused by human errors, with a further 15% attributable to situations where the user either failed to own up to their mistake or was simply unaware. Such mistakes can cost companies huge amounts of money. In 2010, Zurich Insurance were fined £2.27m by the FSA for losing the personal details of 46,000 customers.
If data is a valuable part of your business, then an archiving solution will help you to reverse these simple failures. Technical solutions like Crashplan and Backupify can be configured to incrementally store your files, thus providing the facility to call up previous versions of files and limiting your losses to at most a few hours work.
3. Choose your cloud carefully
It is often presumed that providers of large data warehouses such as Google Drive and Dropbox are delivering a solid and secure service. Often cloud storage provided for free is vulnerable to exploitative attacks from malicious agencies, with protection only being granted for paid accounts. It is advisable therefore to use a further layer of encryption to secure valuable files that are stored in the cloud if you cannot confirm that these protections are in place. These systems will protect your customers from identity theft and your own records from corporate espionage.
Choose between encryption software, such as SmartCryptor, which gives you the power to selectively protect your files based on your own criteria or more secure storage such as Tresorit orSpiderOak, which have been designed to make security a priority.
It’s important to consider your choice of cloudprovider very carefully to ensure that they are capable of meeting your needsand the findings of your risk assessment, for example, can the provider provethat information is not being stored outside of the EU? Do your data retentionpolicies correspond with theirs? Are there any Information Security aspects ofindustry specific standards you need to comply with?
Dale Rollinson, Consultant at QMS International
4. Implement multi-factor authentication
In most companies, access to valuable data can be contained to a select number of devices, including staff laptops, tables, office PCs and phones. Any device or remote location that requests information from your systems can be flagged and manually investigated to ascertain its nature. However, checking all requests can be a laborious task, especially if employees need to communicate with the company across different time-zones.
Multi-factor authentication requires users to provide additional credentials when logging into company systems. This usually takes the form of a passcode that is sent to a secondary device when using a remote or unrecognised location. One of the most common forms is a numeric code that is sent to a mobile phone, which is entered during an access request using a computer. Enabling such security measures not only provides you with a more secure system, but also saves valuable resource in verifying connections.
Larger businesses may consider other multi-factor authentication methods include access keys/dongles such as those provided by Yubico or Google, and complete identity management platforms such as those offered by Ping Identity or ForgeRock.
5. Create a master system administrator account
If you have many users accessing cloud-based systems, this can create problems when staff leave, taking valuable files and customer information with them. In order to maintain control over your data, it is essential to have a master admin account that manages the permissions and credentials for all other accounts on the system.
Such an account can be used to instantly remove user access and protect your cloud-based data. For instance, if you know a staff member is going to be removed via a disciplinary procedure, their permissions can be immediately terminated.
Need assistance in keeping cloud data secure?
If you’re using cloud storage and backups or are looking for new ways to protect information assets but have not thought about a consistent security policy then ISO 27001 could help. This standard assists in the identification of information risks and puts in place the appropriate controls to help manage and reduce those risk. ISO27001 is also recognised worldwide giving customers and stakeholders confidence that you are keeping your customer and business data safe.
Originally published on Thu, September 22nd 2017