Cyber Security: Take the safe route into the cloud

How well do you know your business? You might know what your processes are, your sales funnel, marketing strategy and perhaps a strategy for customer service.

When it comes to data privacy and security, though, things often start to get a bit murky. Most of the time, businesses will choose products first and then think about security and privacy later.

It’s a big problem, specifically as companies move into the cloud, and something Seamus Flynn, the business development director at CWSI which specialises in device security and mobility management services, has noticed in the industry. “What we’re finding is a huge number of companies are going to the cloud and they haven’t secured their environments,” said Flynn.

A major contributor to the problem is the fact that many businesses just assume they’re covered and fail to view their plans through the lens of cybersecurity.

There are ways to get the benefits from productivity tools while maintaining good cybersecurity practices, but the time to do that, says Flynn, is before you start designing the activity tools. As CWSI specialises in crafting strategies and processes for businesses instead of selling a particular product, the best way to tackle security is to have the firm in at the beginning of the process.

One pitfall companies can fall into is bringing in security specialists after the process is finished, making things harder as a result. If you know beforehand the exact role a provider is fulfilling, such as moving you to the cloud, then you have the leeway to bring in another, in tandem, to help secure your cloud environment. “It’s just acknowledging in the industry that some IT vendors specialise in producing productivity tools and taking people to the cloud, but then other people specialise in securing those environments,” said Flynn.

In accessing how businesses arrived at this point, it’s worth looking at how much technology has changed the workplace itself

Changing landscape

Many years ago, in an office environment, you had your office PC and other relevant devices there and everything was connected up locally.

Nowadays your smartphone doubles as your work device, laptops and tablets are commonplace and cloud infrastructure means you can assess important services, files and data anywhere. This has changed the dynamic of how we work and, while the core principles of good security practices haven’t changed, how they are achieved has.

The changing landscape is something Paul Conaty, principal consultant at CWSI, has observed over his many years working in the IT infrastructure and security space.

“If you look back over the past 15 or 20 years in the IT world, how you protect your organisation hasn’t changed significantly in that timeline,” he said. “You build your PC, you build the network, you put your antivirus on, you build firewalls and you go for this walled-garden, crunchy-on-the-outside, soft-on-the-inside approach.

“In the last couple of years, with the advent of cloud and mobile, that has started to look more precarious . . . you have teams of people working off their own devices, who are out and about all the time.”

Much of the change in mindset comes from the expectations newer generations have of work. Many students entering the workforce now will have greater expectations of the type of technologies and software they have access to.

This does create a dynamic that most companies have trouble dealing with, as the greater resources needed to mitigate threats and risks are really only available to larger corporations. Smaller ones will have greater difficulty carrying out many of the security tasks on their own, especially as people now operate on an understanding that they can access files and services anywhere.

For Colm Warner, mobile technology consultant with CWSI, it’s a long way from the old days where someone gave you a computer with antivirus and you connected to the internet via proxy. “If you hack my laptop, you can understand my business life between now and the next time I close the lid. If you hack my phone, you have my business and personal life until the next time I get on a plane,” he said. “Those are very different things.

“The data that is carried is far more leverage-able; it allows you to get into more advanced phishing [actions], more advanced identity theft and can be then used to piggyback back in that corporate information even if it doesn’t reside on that phone. Our solutions enable companies to be protected from this ever-present and growing wave of attack vectors.”

The other area of concern is how most people will take the path of least resistance. Most employees will be time poor and will use products and services that help them complete their tasks quicker, even if it means ignoring or bypassing official products used by the company.

This is known as “shadow IT” and, while it sounds malicious, it is often simply a question of an employee trying to get a task done, and the security implications of using free software, or bypassing old safeguards, don’t register. Instead of using a work collaboration tool, they might use WhatsApp or they might create multiple Office 365 accounts so they have extra cloud storage to play around with.

“The best thing companies can do in those . . . [cases] is give the users what they want in a controlled manner, otherwise they’ll find it themselves anyway,” said Warner.

“There will always be malicious users, lazy users, incompetent users, but what we’re trying to do is make the path of least resistance the one where the security is.”

To give one example of how they do this, when they’re securing phones, CWSI moves people towards a zero-password system, where all their security is done by certificate exchanges in the background.

The reason for that is the sheer number of accounts that people have access to at any one time. When you have accounts for multiple services, you’re going to take short-cuts by using basic passwords, using the same password across all platforms, or just forgetting them entirely.

As Warner mentions, this can mean a loss in productivity whereas if you underpin all your apps and services with certificates, biometrics and other secure methods, it maintains good security practices while letting employees get on with their work.

Quick wins

While it can initially seem like an impossible task, there are ways to quickly improve your security posture.

On their own, these strategies might not seem like much but working together they can be greater than the sum of their parts.

A danger is to focus mostly on the technical and neglect the processes, training and awareness side of things.

That is a bad idea, says Flynn, as the majority of times employees take shortcuts it’s because they want to get the work done and the tools you are giving them aren’t meeting their needs.

“It’s not someone trying to be malicious, it’s someone who has a deadline . . . and the tools you’ve given them are not working,” he said. “So they’re using something else. They do this because they have to do their job.”

As mentioned before, small wins can really bring your security posture forward, and one great example of that is multi-factor authentication.

Ensuring your devices require both a password and a randomly-generated code from your phone – usually supplied via a specialised app – can add an extra layer of security to your devices with little effort.

Whether you’re a five-person or a 5,000-person company, making your employees aware and putting these small pieces in place can help, adding up over time. For that to happen, there must be conversations about security, which can be hard for the smaller companies out there.

“It’s having the conversation and making them aware of small wins,” said Flynn.

“The difference is a 5,000-person company is aware, and they have a dedicated IT person [who] understands cyber-awareness training. The 50-person company is more strained.”

More and more research is showing lately that companies of all sizes are aware of the risks but unfortunately tend to act far too late with regard to them.

“Not everything has to be done today but the small wins can get them on the right path,” said Flynn. “They can see that it’s something they can get a handle on and be responsible for.”

In many cases, companies already have security solutions built into their products, but many aren’t activated since the company either isn’t aware of them or just doesn’t know how to turn them on in the first place.

“Imagine [you had a] car. If someone came in and said ‘by the way, there’s a free quarterly service with that car you’re paying for’, you’d definitely take that up.

“It’s like that here. We talk to them about what they’re trying to achieve but sometimes we’re turning on what they’re already paying for, which is a huge win for these companies.”

The important thing is that those at board level and in positions of authority start asking the necessary questions. Flynn mentions that for CWSI, it’s about making companies aware of the security measures they take as well as how they deploy and go to the cloud in a secure way.

Since CWSI is agnostic, it’s not looking to push solutions but to sit down and talk about where the company wants to go.

For its part, CWSI keeps up with cutting-edge developments and continues upskilling to meet the new demands security brings so that when it starts talking to a company, it can make it aware of how these solutions and specialities fit into its overall plans.

At the very least, all companies can take small steps that will greatly improve their security posture.

The best way to approach it, say CWSI, is to acknowledge that all companies are technology companies now. Everyone has a presence online, and the presence is on the move thanks to how mobile devices are being used in the workplace. Thinking about how to secure that presence is part and parcel of this reality.