By Christian Lappin, Senior Sales Engineer, TierPoint
Earlier this week, TierPoint in Marlborough, MA hosted a cloud and security event with CAI Managed IT, one of our business partners. I gave a talk about cloud security myths and Frank Motta of CAI provided tips for managing security inside your organization.
I echo Larry Port, of Law Technology Today, who wrote this month that arguably “we’re at the point where cloud providers have the upper hand when it comes to providing secure storage for your critical information.”
The biggest myth is that information in the cloud is less secure than data on premise. I can understand why some people might think that way, but cloud providers often have two distinct advantages: purpose-built facilities designed with security in mind and more dedicated and trained security professionals.
Much like taking your taxes to an accountant, cloud and security specialization matters when evaluating services. When it comes to security, you need to get it right the first time. Every time.
Weak security policies are as big a threat as weak security technology. The Online Trust Alliance (OTA) found that “40 percent [of 1,000+ data breaches] were the result of external intrusions, while 29 percent were caused by employees—accidentally or maliciously—due to a lack of internal controls.”
With the shortage of security pros worsening, it is not a surprise that “90 percent of data breaches in first half of 2014 could have been easily prevented.” Granted, I am a little biased on this one, but I have to believe that a much higher percentage of those breaches stemmed from an on-premise breach/exploit rather than an attack or intrusion that originated from the cloud. Many data breaches today are often not known or discovered for months which can make the potential for damage worse and make cleanup much more difficult. As bad as breaches can be, denial of service (DoS) or distributed denial of service (DDoS) attacks are consistently on the top of most threat matrices because of the near instant impact on transactions and revenue.
Cloud providers and managed service providers have to do a much better job with employee education. Frank touched on this subject in his portion of the presentation. This is incredibly important because ultimately data, for most organizations, will reside in a hybrid cloud and on-premise solution. One of my recommendations to make sure you get the right cloud solution with your environment is to have prospective cloud providers complete the Cloud Security Alliance Consensus Initiative Questionnaire before you sign a contract.
Frank spoke of the increasing security threats to SMBs. Hackers are no longer just going after the big fish. New tools can automate attacks that can catch many companies at once. He cited Symantec research that found that cyberattacks on small businesses have skyrocketed by 72% in the past 18 months and that one-third of all cyberattacks now target SMBs.
He also shared best practices for email policies, computer and Internet usage. One of the things I found most interesting about his comments is that it is now fairly easy it is to test employees if they are complying with company security policies. As an example, he can put an algorithm on a USB device and leave it in a conspicuous place. If a client’s employee picks it up and uses it, he’ll know. He advises people to not use USB memory devices that they find on the street or if they do not know the device’s origin because a hacker can put malware on it.