All silver linings? Why you should question the security of the Cloud

Posted on: March 22nd, 2019 by Dr Karnig Derderian

A compromised DropBox employee password led to a small number of user email addresses being spammed back in 2012. Two years ago, Apple’s iCloud came under similar fire after criminals stole private photos from celebrities’ devices.

Both were not an instance of breaching ‘the Cloud’ – they were more a case of users getting their passwords compromised through successful phishing attacks – but it’s fair to say that public confidence in the cloud was dented. So, what are the risks, how can you mitigate them, and – perhaps more importantly – how does cloud storage stand up to your compliance requirements?

The silver linings

Most cloud storage providers now include two-step verification by text message or time-based one-time password apps. Permissions have also been tightened across the board, meaning that employees at each provider have less access to actual stored data. Typically, a small number of authorised employees can only access stored files if required to for legal reasons.

The truth is, cloud services aren’t as insecure as you might think. Services like DropBox, iCloud, Google Drive and OneDrive have both the motivation and the resources to make stored data much more secure than the average business could on their own servers.

The not-so-silver linings

It’s worth acknowledging that your staff are responsible for the security of your data – wherever it’s stored. The majority of cloud ‘breaches’ come from phishing attacks, which are the result of generally lax security awareness, poor password practices and not using two-factor authentication.

Then there’s your compliance requirements. If you’re a regulated business, your regulator may impose certain rules on how you handle, store and secure data. For example, the FCA considers using cloud services as a form of ‘outsourcing’, which carries its own regulatory requirements. Along assessing the risks, the FCA recommends that firms ‘consider what action [they] would take if the outsource provider failed’.

When it comes to disaster recovery, regulators often impose stringent rules on how long businesses should store data. FCA-regulated firms must keep files for at least seven years. DropBox, by contrast, keeps a cache for just 120 days, leaving financial firms at real risk. We’re not just talking about financial services. Engineering firms must keep their designs and plans on file for at least 15 years to cover any professional indemnity claims that might arise. All the major cloud storage providers fall far short. That’s where it pays to use an independent backup service – providing an extra layer of resilience.

What you can do now to make your cloud storage more secure

1. Invest in a third-party backup service as part of your business continuity plan. We work with Veeam, which provides secure data backups for data held through Amazon Web Services (including apps like Xero), Azure (including Office365) and IBM Cloud.

2. Enable two-factor authentication wherever possible. By creating a second line of login defence, it could prevent phishing attacks that could inadvertently come through your staff.

3. Talk to your team. As part of your data recovery plan, you should have clear policies and procedures for handling and storing data. Make sure your staff really understand them, and implement simple security features like regularly updating passwords. We can help you to do this as part of our IT managed services.

Talk to the experts. We’re Neos-IT, specialising in helping regulated City firms manage risk and reduce complexity. Contact us to hear how we can improve your resilience.