As the digital landscape advances, cloud computing has become integral to modern business operations.
According to an International Data Corporation (IDC) report, global cloud infrastructure spending is projected to reach $118 billion by 2025. However, the expanding adoption of cloud services also brings heightened risks, including data breaches and cyber-attacks.
Thales’ Global Cloud Security Study for 2022 revealed that in the past 12 months, 45% of businesses experienced a cloud data breach or failed to conduct audits, marking a 5% increase from the previous year.
Katie Barnett, Toro’s Director of Cyber Security shares her top tips on how to assure your company’s cloud cybersecurity.
Develop a Cloud Security Strategy:
Create a comprehensive cloud security strategy aligned with your business goals, risks, and resources. This strategy should be a living document and serve as a guiding framework when researching or onboarding any new cloud providers.
Assess Your Cloud Provider:
Before selecting a new cloud provider, meticulously evaluate their security policies, practices, and certifications, utilising your established cloud security strategy as a blueprint.
Ensure compliance with industry standards such as ISO 27001, PCI DSS, HIPAA, and GDPR (General Data Protection Regulation). Verify alignment of the provider’s platform and technologies with your goals, look for a service development roadmap for long-term compatibility, and scrutinise data policies and security controls for risk-based alignment with your security policies.
Don’t forget about 4th party providers – the downstream suppliers who may play a crucial role in delivery of your cloud service – assess their reliability, and consider a separate assessment if needed. During due diligence, discuss data backup, recovery, encryption methods, and incident response procedures, establishing a clear service level agreement for mutual understanding.
Secure a Data Backup Plan:
As highlighted in the first point, understanding the policy on this is critical. Having a robust data backup plan is integral to any cloud security strategy. In the event of data loss, you need to ensure that a solid backup plan is in place to facilitate data recovery and uninterrupted operations. Many organisations do not backup their cloud hosted data, believing this is covered by their cloud provider. But resiliency in the cloud is not the same thing as having a separate copy of your data, should someone permanently delete it from its cloud location, for example.
Therefore, during your due diligence, engage in discussions about data backup, recovery, encryption, and the provider’s incident response procedures. Clarify these aspects in a well-defined service level agreement to avoid misunderstandings in the future.
Data backup integrity is of paramount importance. Having a solid plan in place for storing data in the cloud, locally, and offline is critical for swift recovery in case of unexpected issues. Work out the specifics of this plan before entering into any partnership.
Monitor and Maintain Your Cloud Environment:
It is important that as an organisation you stay vigilant against potential threats by consistently monitoring and updating your cloud environment.
Utilise tools that detect suspicious activities, unauthorised access, or data leakage. It’s also important to regularly patch and update cloud applications, software, and operating systems to address vulnerabilities.
Train Staff to Understand Attacks
Providing critical training to staff on identifying and responding to various cyberattacks, including phishing emails and malware.
Employees need to be educated about existing and emerging cloud security threats and effective ways to mitigate them, your people can be your greatest strength but also your greatest weakness when it comes to security, but training will help give them the tools and knowledge to protect both themselves and the business.
Encrypt and Secure Your Data:
Recognise data as your business’s most valuable asset.
Check encryption standards for authentication and make sure data is encrypted in transit and at rest. Think about what sensitive data you are storing in the cloud and whether it is in compliance with relevant regulations. Check who has access to it, using the principle of least privilege to manage data permissions and processes for access control.
Use Multi-Factor Authentication (MFA):
Implement MFA, requiring two or more verification methods for authentication. This adds an extra layer of security beyond traditional username and password authentication. MFA is difficult for cybercriminals to crack without acccess to personal information, enhancing overall account security.
Perform Pen Testing to Find Gaps:
Regularly conduct penetration testing to identify vulnerabilities in both cloud and on-premises systems. Pen tests help improve overall system security by pinpointing potential weaknesses that attackers could exploit. Integrating hacking simulations ensures ongoing resilience against evolving threats.
A proactive and multi-faceted approach is crucial for ensuring cybersecurity in the cloud. By integrating these strategies into your security posture, you will have the necessary assurance that your cloud operations are secure and resilient.
Basic security measures, such as data backup, encryption, and employee education, coupled with comprehensive cloud security policies, form the foundation of a robust defence against the evolving landscape of cyber threats.
Katie is a tenacious cyber security professional, with fifteen years’ experience in IT, built upon a corporate foundation of legal training and a stint as a commercial solicitor. She has run IT and security operations for a number of commercial, academic and media organisations. This includes delivering government supply chain assurance projects and supporting multiple UK and US government contracts in the strategic communications space.
As a consultant she operates at Chief Information Security Officer (CISO) level, providing board level expertise in information security. This includes assessing cyber security maturity and conducting gap analyses against industry standards such as Cyber Essentials, ISO 27001, NIST, SOC 2, CAIQ, and CAF. She relentlessly drives improvement by building relationships, adopting a methodical approach and communicating effectively.
Her talent is in distilling complex environments down to deliver simple, robust solutions that address cyber, physical and people security. She has overseen cybersecurity and risk management for projects delivering globally, including throughout Europe, Australia, Iraq, Somalia, Kenya, Nigeria, Tunisia, Georgia and Ukraine. This has involved utilising cloud technologies, implementing structured procedural frameworks and engaging a multitude of stakeholders. Other projects include leading on the delivery of ISO 27001, ISO 9001, Cyber Essentials Plus and B Corps status attainment