Breaching cloud security is easy, (literally) anyone can do it - 4min read

Looking after customer data is a huge responsibility for any business and it's easy to spend all our time worrying about digital security protections, but in the end breaches can come down to something as mundane as who’s dating your sister...

 

Security is the same the world over whether it’s someone pick-pocketing you, breaking into your flat to get your Xbox or stealing thousands of credit card details from an airline e-commerce site. Every burglar from the common to the high tech relies on the same thing:  Humans doing human things.

 

Burglars tend to rely on human negligence to enter homes, with the majority of break-ins being committed by burglars who live nearby and are familiar with home owners’ daily whereabouts. And get this: up to 65% of burglars know their victims!

 

It’s pretty similar in the digital world as Sophie Daniel (a.ka. Jek Hyde), a physical penetration tester and information security consultant, well knows.  She specialises in social engineering security assessments, helping businesses to test their security structures by focusing on breaching its weakest point: humans.

 

Like any other burglar, Daniel relies on employees working in high security environments to simply let her in. Which they do, alarmingly regularly. Because they’re human.

 

We trust other humans and are willing to accommodate them despite safety rules put in place to prevent this, or red flags that suggest we do otherwise.

 

Daniel tells a fascinating story about how she did a basic online background check on an employee of one such company, and how it allowed her to social engineer her way through that employee and eventually other employees. She gained access to highly restricted areas simply by engaging people’s personal interests, passions and humanity, and so winning their trust.

 

OK, but what does all this have to do with breaching cloud security?

 

Anyone can unlock the cloud

A new report released by Kaspersky just last week, suggests that 90% of data breaches in the cloud are caused by humans. The report warns that while organisations are primarily worried about the integrity of external cloud platforms, they are more likely to be affected by weaknesses far closer to home. Social engineering techniques make up 33% of these incidents with only about 10% being caused by cloud providers themselves. The rest is made up of targeted attacks and negligence.

 

Businesses rely largely on a cloud infrastructure provider for cyber security but the real threat to their customers’ data are their own employees and internal security systems.

 

Which internal security measures can prevent cloud breaches?

‘Our research shows that companies should be more attentive to the cyber security hygiene of their employees and take measures that will protect their cloud environment from the inside,’ warns Maxim Frolov, Vice President of Global Sales at Kaspersky.

 

My company, Skynamo, recently became one of relatively few tech providers worldwide to achieve the global benchmark in data security - ISO 27001:2013 certification – to protect its customers' business data. It focuses on securing the physical, technical and human points of weakness.

 

In particular, it ensures the following:

  • Customer data is only used for the purpose of the service we commit to provide
  • We adhere to customers' unique requirements for data-handling
  • Customer data is not shared with unauthorised 3rd parties
  • Customer data is accessible only to a very restricted team of individuals at Skynamo who have received training on how to handle your data appropriately
  • Customer data is stored in a segregated way, not to be confused with other customers’ data
  • Backups of customer data are properly protected
  • Data that’s no longer relevant is deleted

 

The measures Skynamo takes to ensure our data remains secure in the cloud:

As we all know, our greatest strengths and weaknesses are usually related. Our employees are our best line of defense against a cyber threat. They are our eyes and ears on the ground.

 

Awareness, education, a security culture, and where necessary, specific training are key elements in preventing a social engineering breach at Skynamo.

 

Skynamo actively fosters a security conscious culture through continuous awareness and training initiatives, encouraging the reporting of anything that doesn't feel right, from a strange looking link in an email, to a suspicious person loitering at reception.

 

How can your business be certified as secure?

It was no small task for Skynamo to ensure the systems, policies and procedures were in place to achieve and support our three main security objectives, namely the securing of 1) customer, 2) product and 3) company information.  And it’s no small task to keep these in place. Security is about consistency and keeping it all top of mind.

 

The first step we took was to get the right people on board to help us align our practices with ISO standards. This required independent certification service providers, qualified to conduct audits, provide recommendations and eventually grant the appropriate certifications.

 

ThinkSmart did a brilliant job of helping us achieve our ISO certification. They came on board to consider the various data security risks Skynamo is exposed to and ensured that we put the right controls in place to reduce these risks to an acceptable level. This audit looked beyond the general storage of data to how it is handled among our employees and also the physical security of the premises where the we conduct our daily business.

 

With data breaches on the rise worldwide and with only 7,478 companies in the IT sector worldwide and only 69 companies across all sectors in South Africa being ISO certified, as of 31 December 2017, we strongly recommend approaching independent certification service providers and securing your business against security breaches.

 

 

 

Sources:

Humans cause most cloud breaches