It’s hard to imagine a corporate world nowadays without the cloud. Now forming the backbone of many workflows, the growing reliance on it has brought with it greater flexibility for workers who can access their work from anywhere. Yet what can be easily overlooked is the level of responsibility companies have when they sign up to these services.
In a way, it’s reasonable to expect cloud services to implement robust security controls – it would be difficult to build up trust if they didn’t – yet the companies using these services have to make sure they have the right security controls in place. While cloud services may uphold their side of the bargain by offering them, companies may end up assuming they’re already in place.
For Dr Vivienne Mee of VM Group, the increased movement towards the cloud over the last number of years has meant that, during the rush, this part of the equation is overlooked.
“We see issues with the use of the cloud environment in that they’re not configured properly,” she said. “They are not using proper two-factor authentication or they haven’t enabled the security features on the cloud system [before] realising they’re exposed.”
One area where even the larger companies can slip up, said Dr Mee, is that, despite their size, they don’t have the necessary knowledge or understanding of security. In some cases, even if they have an awareness of security issues, they could end up disabling key components to make sure their production line isn’t hampered.
It’s no surprise that breaches have occurred because of this. Dr Mee recommends thinking about cybersecurity the same way as you would physical security. Combine that with an over-reliance on technology to paper over the cracks and you have a recipe for disaster. “You’d be surprised,” she said. “I do believe that people may be aware that they should have it, but may not implement it, which is shocking. If it were your house, you would put a lock on the front door. Although that’s a simplified analogy, I do believe that organisations make decisions on a whim and think they’ll be fine and that a firewall should be okay, but they don’t realise that maybe their firewall hasn’t been configured properly.
“Therefore by not putting an antivirus on a server, or the firewall not being configured, they’re completely exposed. [They’re] relying on technology that they have put in place not realising that it may not be configured properly, adding to the risks and exposures to the organisation.”
It’s very much a case of organisations missing the simple measures that can vastly improve their security posture. For example, if you’re using Office 365, two-factor authentication is there automatically. It’s just a matter of enabling it as soon as you can.
The other area of contention is getting employees on board. In general, people can be resistant to change and if they don’t know why a change is taking place, then it’s hard to get them on board. If they think they’re being snooped on, or not being trusted, they can treat positive actions towards cybersecurity as a negative.
One major trend that Dr Mee is seeing is governance controls, with organisations creating whole new sections in governance dedicated to it. Part of that is regular checks which are down to them understanding that controls can be circumvented or bypassed in time.
An easy trap to fall into is putting the controls in place and then never looking at them again. Avoiding that is something VM Group actively encourages its clients to do.
“We would encourage all our clients to check the controls that they have in place and make sure they’re still valid,“ said Dr Mee. “Because lots of places will have controls just to tick a box, there’s an audit coming and they put in a lot of policies, procedures and controls, but in the day-to-day world, they don’t follow any of it.
“They should have realistic controls because if they’re practical and they work, it shouldn’t be a massive overhead. Whereas if you go in and say these are new controls and it means everyone has to work in a different way . . . those controls are going to be circumvented straight away. It should be that you go in and look at what existing controls are there, and then maybe enhance them rather than trying to put in a clean new bill of controls.”
Since it rebranded more than two years ago, VM Group has greatly expanded its services to reflect this new reality. Before it was mainly forensics, but since the requirements companies now need to meet for security have expanded, so too has VM Group. The result is that these companies usually have gaps in their offerings which VM Group can now fill, such as a chief information officer as a service, regular audits and reviews, or just checks to make sure they’re on the right track. It’s a way to offer companies the benefits of having someone full time without having to hire someone specifically.
“What we’re finding in the last 12 months is that organisations may realise they do need a security function, but they don’t know where it’s supposed to lie,” said Dr Mee. “They probably do figure out it should be sitting here, but there’s not enough work for a full-time person or the resources to put someone in full time.
“They would call on the likes of us to come in and do that function for them, for example, there may have been audits – we would go in and do audits for them, pre-audits or sit with them on the board, look at the risks and maybe do even light-touch security throughout the year. It means they’re not left with somebody saying: ‘I’ve all your security policies written, I’ve all the audits done, everything’s fine’, and then for the rest of the year they don’t have much to do, so it does suit organisations that way.”