A year of cybercrime
The end of 2017 is approaching fast, with Festive Season celebrations to look forward to and possibly a break from the humdrum routine of daily work. Before getting into party mode, however, take a moment to reflect on some safety and security in the business IT world. This year has been fraught with events involving cybercrime and data breaches. The WannaCry ransomware attack in May, which compromised in excess of 200,000 computers throughout the world, immediately springs to mind. In the UK, the NHS was systems were infected, meaning that some services operated on emergency-only basis. Shortly after WannaCry, came Petya, more sophisticated and virulent, and also demanding a £200 minimum payment in bitcoin for data decryption. As of September this year, 30,000 global incidents of cyberattack have been reported, including virus infection, phishing, site intrusion and ransomware.
Most cybercrime goes unreported; after all, the media tends to sensationalise incidents that affect large organisations, such as the US pharmaceutical company Merck, which was a victim of Petya. Attacks on small to medium size businesses (SMBs) and individuals seldom make the press, if ever. But SMBs do fall prey to hackers. A local ecommerce operation recently had its cloud servers hacked resulting in crypto ransomware been installed. The hijackers demanded a two bitcoin ransom. Another story that didn’t hit the news was a London law firm that had its cloud email server hacked. The hacker was able to modify the bank account details on outgoing invoices and payments were redirected from the firm’s account to the hacker’s. In both cases, the SMBs suffered financial loss caused by security and data breaches.
GDPR in the New Year
If you don’t know already, matters relating to data security are about to become very serious. In May 2018, the General Data Protection Regulation (GDPR) replaces the Data Protection Act (DPA) in the UK. The GDPR will be enforced throughout the EU, and will also impact companies outside the Union that process and store data originating within Europe. The GDPR has well-defined principles relating to data protection, and gives individuals greater control over their information. This is underpinned by the ‘Privacy by Design’ obligation in which businesses are accountable for data protection for the entire lifecycle of a data processing project. Data encryption and cloud data security are vital if you want to be GDPR compliant. For those opting for non-compliance, they are likely to end up paying fines in the millions of euros, not to mention the damage to their name and brand reputation as a fallout of a data breach.
In this article, you will explore four actionable steps to assist you with appropriate data encryption and security, and thereby be GDPR compliant and attenuate the risk of data breach. One step at a time, these are: system level security, access level security, data level security and cloud data backup.
System level security
To ensure that your SMB IT infrastructure is as secure as it can be and to mitigate cyberattack vulnerabilities, you need to fully understand the limits to the security provided by your cloud service provider. Ponder these questions for a moment:
- Are all your computers comprehensively patched with current operating system security patches?
- Do you have established firewall and are they effectively implemented?
- Is your data regularly backed up remotely and is the backup routinely scheduled?
- Is your cloud provider solely responsible for data storage and security within your IT infrastructure?
Hopefully, you were able to provide a positive response to all but the last question. You see, outsourcing storage and services doesn’t mean that you are not answerable for data security. The initial step to having your data securely protected is to differentiate what you, and what your cloud provider, are responsible for. Failing to understand and act on this could spell disaster for your SMB.
Vendors of cloud services will typically argue that their systems have an unprecedented level of security compared to those run locally by a system administrator. Which will be more secure: hosting your email on Office 365 or running your own server from a room on your premises? Obviously, going with the Microsoft option will make your data less vulnerable to hacking attempts. If you chose to run your own server, you need to manage all aspects of its security. This includes, but not limited to, setting up firewall rules, monitoring for intrusion, patching and installing security updates, backing up sensitive data, and even ensure that you have a 24/7 internet connection.
If you attend a sufficient number of cloud marketing presentations, you’ll eventually have it in your head that ‘the cloud must be safe’, particularly if the sales pitch honed in on your SMB IT needs. However, you should not be complacent when it comes to the cloud provider’s security claims. A good example would be setting up a virtual machine in a public cloud such as Amazon. You cannot automatically take it for granted that the machine is secure and that Amazon is fully responsible for the provision of security and monitoring services. In this instance, you are consuming a platform-as-a-service (PaaS) meaning that you are responsible for everything you put on the platform, from data storage, running applications, and including your operating system. That said, it is vital that you understand the small print of your service contract and hence where your responsibilities lie.
When using cloud services and storing data in the cloud, you are implicitly granting your provider access to that data. Without question, selected members of the cloud provider’s team will have access to all client data. In essence, this means that you are relying on the security procedures of the provider and their good name to keep your data safe. Too many businesses and government organisations fail to realise that outsourcing storage and services to the cloud reduces one set of risks but increases another.
A botched data outsourcing contract between the Swedish national transport agency and IBM Sweden in 2015, meant that six of the country’s government agencies suffered major data breaches. The personal details, including medical records, of most Swedish citizens were leaked. Worse still, IT workers in Serbia, Romania and the Czech Republic all had varying levels of access to the data. This breach was a result or erroneous disclosure of personal data and not caused by hacking. However, neither the Swedish Transport Agency nor IBM assumed liability. The agency had not checked and double-checked its contractual agreement with the cloud provider and no fingers could be pointed. One wonders how this incident, a clear breach of data sovereignty and a potential risk to Swedish national security, would have gone down under the strict data protection laws to be enforced by the GDPR.
Access level security
Once you have ascertained the limits of security provided by your cloud vendor, the next step is to ensure that your access credentials are secure. This means encrypting your data whenever possible and taking local backups of critical cloud data. This may sound like stating the obvious, but recent large-scale data breaches at Accenture, Deloitte, Uber and the Australian Broadcasting Corporation (ABC) highlight the fact the too many organisations fail to have sufficient data security practices in place.
The ABC breach was revealed in November 2017 and it was confirmed that approximately 1,800 daily MySQL database backups were leaked. Along with this, thousands of emails, login credentials, hashed passwords and key details for video content were compromised. All this as a result of an inadequately secured public-facing Amazon Web Services (AWS) S3 bucket. Again, upon whose shoulders does the blame fall – ABC or Amazon?
Data level security
As mentioned, the very best you can do to secure your SMB’s critical data is to apply maximum encryption. The latest encryption technologies when used as intended, will deliver optimum levels of security for your company data. Many IT security experts confirm that best way for businesses to safeguard their data stored in a cloud infrastructure is to encrypt it themselves.
Data encryption is an effective and relatively basic method that will prevent a security breach from growing into a serious data breach. Encryption should become second nature; it is an excellent cyber-defence strategy. Moreover, encryption is specifically referenced in the GDPR. Article 32 (1) (a) calls for the ‘pseudonymisation and encryption of personal data’ taking into account the purposes of data processing and the costs of implementing encryption.
How does encryption fit into the overall GDPR data protection regulation? Consider this example: recently, the Australian Red Cross Blood Bank inadvertently leaked the personal details of 550,000 blood donors including their names, addresses and information pertaining to their sexual orientation. The breach resulted from an unencrypted database backup. If the backup had been encrypted, the server misconfiguration would have resulted in a leak of encrypted data. This would not amount to a full data breach. Under the GDPR, an encrypted data leak is unlikely to be a risk to an individual’s rights and freedoms. Unlike a breach of unencrypted data, the reporting of the incident would not be mandatory.
Encryption is often the least understood component of cybersecurity. Consequently, it is either not implemented or its mismanaged implementation means that it is ineffective. Encryption is often construed as a specialised IT field, riddled with acronyms and marketing hype. So much so that clients and vendors alike fail to understand the level of security they’re getting when settling on encryption. When people don’t fully comprehend what they getting, they tend to adopt the ‘tick the box’ mentality: if data encryption is sold as ‘military grade’, then there is no need to question its quality or reliability. This is a logical fallacy reflecting a situation in which buyers are unable to conclude if they are purchasing real security or merely protection with unverifiable benefit.
Cloud data backup
Once you’ve rigorously encrypted your data, a final step remains: backup. If you are in the unfortunate position of the cloud containing the only copy of your critical data, then proceed with caution. You run the risk of permanent data loss. You cannot rely solely on your cloud provider for timely backups. Also, are you certain that they are taking backups?
In 2014 SaaS (Software-as-a-Service) provider Code Spaces along with all its clients learned a harsh lesson. Code Spaces offered source code management tools to all its customers. The company was considered to be a ‘port in a storm’ for many businesses which used it as a data repository. Code Spaces prided itself in providing a robust cloud service that was fully integrated and backed up. Furthermore, they had the added security of being hosted by Amazon AWS.
Then, when the trouble began, it came from all directions. A cybercriminal gained access to the Code Spaces AWS control panel account and chaos ensued. After a rumpus with Code Spaces’ engineers and a failed ransomware attack, the hacker struck a deathly blow. They deleted the entire Codes Spaces content on AWS: S3 buckets, EC2 machine instances and all the backups to boot. The permanent data loss without a local backup soon meant the demise of Code Spaces. It didn’t end there. Code Spaces customers who relied only on the provider for backup also faced permanent information loss. You can probably guess that it meant the end for those companies.
What lesson could be learned from the Code Spaces debacle? Simple: you are responsible for your own data. When you delegate that responsibility, you ultimately lose control and suffer the consequences if your provider is hacked or does not commit to data protection and backup obligations.
Knowing that onus for data backup is on you, this is easily achieved in one of two ways: cloud-to-cloud backup, or cloud-to local backup. Cloud-to-cloud has its pluses since it means your SMB can operate fully in the cloud without running a local IT infrastructure. However, when you consider the security breaches discussed in the article, cloud-to-cloud backup means putting all your eggs in one basket. If hackers compromise access-level security, which they regularly do, that means you will suffer permanent data loss.
With this in mind, it would seem that cloud-to-local backup would be more secure. You can routinely download all your data and files onto an external hard drive that is securely encrypted. Disconnect the drive, place it in a safe or cabinet and it will be immune from hacking. Of course, the disasters such as fires, floods and theft still prevail. On the bright side, cloud-to-local is an inexpensive, low-tech data security solution. Believe it or not, it’s better at preventing hacking attempts than the world’s most expensive firewall.
How an MSP can help
You’ve got the message: all personal data retained by your SMB needs to be protected and secure. Also, your SMB will need to be GDPR compliant very soon. So how do you ensure that both of these criteria are met? If you have any doubts, contact your local Managed Service Provider (MSP). Your MSP will have the experience and know how to advise and support you on all data protection and backup measures. The MSP can also act as a knowledgeable mentor in terms of preparing you for GDPR compliance.
Based on some of the issues that have emerged in this article, here are a few ways that an MSP can help with your data integrity and security.
MSPs will
- set up appropriate firewall rules
- install security updates and apply patches
- advise on the best public cloud option for your SMB
- scrutinise contracts with existing cloud providers
- apply the latest data encryption technologies
- advise on whether to use cloud-to-cloud, cloud-to-local, or a mix of both
- conduct a data protection and security audit
- educate your staff on all aspects of the GDP
Conclusion
There is no magic bullet that guarantees data security, even migration to the cloud. While virtualisation and cloud computing are generally safe, SMBs still need to be proactive and take on the responsibility to safeguard their own data. Implementing effective encryption and data backup are two manageable ways that you will gain control over your data, and still delegate some degree of system-level security to your cloud provider. In times of unprecedented occurrences of cybercrime and with GDPR just around the corner, the time is ripe to review your IT infrastructure security practices. Doing so means protecting your SMB from cybercrime and ensuring its growth in the future.
24/7 MAC & PC SUPPORT
With our unique zero minute response, direct-to-engineer support model we have a 99.9% client retention rate since 2006.
With face to face strategy and account management, we are a trusted extension of your business. We remove the blame-shifting culture, by dealing with third-party providers on your behalf and provide simplified jargon-free solutions at predictable rates with our flat free unlimited support and services model.
Some of our clients include Edmond De Rothschild, Smart Meter GB and FMB.
#ZheroIT
#weloveIT
High IT Cost? #ZheroIT
Cyber Security Concern? #ZheroIT
