Today, most businesses are using some kind of cloud service, but tight budgets and a lack of resources can make the technology challenging for smaller firms to secure.
Some small and medium-sized businesses (SMBs) are unaware of the risks they face, with many failing to understand their security obligations when signing up for cloud services. This can lead to devastating cyber attacks involving malware such as ransomware, which can come at a devastating cost.
Four measures SMBs can take to avoid common security pitfalls
The cloud encompasses many technologies, including software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and cloud storage. By targeting the cloud, attackers can leverage security weaknesses such as misconfigurations and insufficient access controls to breach businesses directly or via the supply chain.
It is with this threat in mind that the UK National Cyber Security Center (NCSC) has launched new cyber guidance for SMBs using cloud and online services. The guidance offers practical advice on basic cyber security measures small businesses can employ to protect themselves amid heightened threats.
So what specific risks do SMBs face, and how can you stay secure while taking advantage of cloud technology?
Cloud security for SMBs: The threat landscape
While cloud adds complexity, one of the biggest problems for SMBs is a lack of budget and resources to adequately address security. SMBs may have fewer financial and human resources compared to their larger counterparts, says Guy Warren, CEO at ITRS. “They are unlikely to have an in-house specialist cybersecurity team, meaning they may find it more difficult to respond to threats or breaches as quickly as bigger businesses.”
Lucas Fedyniak-Hopes, senior security consultant at Prism Infosec, adds smaller organizations often lack an overall cybersecurity strategy. “Security controls might be implemented in a piecemeal manner across the estate, leaving some areas well protected but others sorely exposed,” he tells ITPro
Some of the key challenges SMBs face are misconfigurations within cloud environments and insufficient access controls. “This poses significant threats to the integrity and confidentiality of sensitive information,” says Elie Feghaly, chief security officer at broadcast technology company Vizrt.
In the future, this risk is set to grow, as technology like AI threats come to fruition. “AI is now open and available to almost anyone, and hackers are increasingly leveraging it as they seek to evade conventional protection measures,” says Warren.
Insecure application programming interfaces (APIs) also pose a mounting risk. “They can become an easy target for attackers to breach, and the process for securing APIs is prone to human error,” Warren warns.
Meanwhile, as organizations start to rely on remote collaboration and conferencing tools, the services will be increasingly targeted by cyber criminals. “Phishing messages have traditionally come in over email, but organizations need to protect their collaboration tools too,” says Francis O'Haire, group CTO at DataSolutions.
Cloud security for SMBs: Mitigating risk
It's clear cloud poses a risk to smaller firms, but there are some simple steps leaders can take to boost security. The NCSC’s cybersecurity guidelines describe basic measures SMBs can implement to protect themselves from potential cloud computing risks.
While the NCSC says it’s safer to use the cloud than traditional on-site IT solutions, it also underscores the importance of ensuring the technology is securely set up and managed. Martin Saunders, CTO at Indigo Integrated Solutions, tells ITPro that the right strategy for cloud management is key.
“A cloud solution from a reputable vendor still needs to be set up and maintained properly to be secure and businesses need a plan for when things go wrong,” he says.
Without the proper expertise, leaders, and staff within SMBs will also struggle to navigate the complex cloud landscape. Without the proper oversight and understanding, businesses can become vulnerable to attacks that prey on cloud weaknesses. These include data breaches, ransomware attacks, and unauthorized access, according to Jason Kemmerer, solutions architect at Forcepoint.
It’s also important to be aware of who is responsible for what. In cloud computing, the responsibility for security is shared between the cloud service provider (CSP) and the customer, Kemmerer explains. “The provider is responsible for securing the infrastructure and ensuring compliance with industry standards, while the customer is accountable for securing their data, applications, and configurations within the cloud environment.”
Securing cloud storage requires a comprehensive approach that combines technical controls, policies, and best practices, says Sergei Serdyuk, vice president of product management at NAKIVO.
SMBs can secure cloud storage, for example, by choosing a reputable provider, he says. “Smaller organizations should opt for well-established and reputable cloud service providers that have a strong track record in security and compliance.”
He advises reviewing the security practices of the cloud provider, including data encryption, access controls, and incident response protocols. Understanding the cloud provider’s shared responsibility model is “vital”, Serdyuk adds.
The settings in various public cloud services can offer a range of one to 100 configurable options. For all services, firms should dedicate time to reviewing settings, making sure they understand what they do, and are properly secured, says Fedyniak-Hopes.
Cloud security for SMBs: Focusing on account security
Account security for cloud services is where you will get the best return on investment, says Fedyniak-Hopes. “Firms can ensure they are enforcing multi-factor authentication (MFA), using strong passwords, and making sure accounts aren’t shared and have the minimal required permissions assigned to them. These low-cost activities will improve the security of cloud service accounts.”
Since small businesses typically have fewer people working on IT security, make sure staff are trained to have a sufficient level of knowledge and understanding to be able to detect cloud threats, says Warren. “Taking steps to educate employees about cloud security, common threats and best practices for securely accessing and handling cloud data can help bolster resilience and enable SMBs to identify issues quickly. “
Firms can also invest in vulnerability management and assessment or conduct penetration testing to make sure APIs are watertight, Warren adds. At the same time, leaders should implement a hybrid backup strategy, with regular data backups, and establish a robust recovery plan, Kemmerer advises.
SMBs are increasingly adopting cloud and while it’s efficient, it’s also a good idea to consider whether you need the specific service, says Saunders.
“Ruthlessly prioritize what’s critical”: Check Point expert on CISOs and the evolving attack surface
“The easiest and most cost-effective way of securing something you’re not really getting value from is to turn it off and remove it,” he says. “It’s too easy to consume cloud services such as smartphone apps, browser plug-ins, and cloud web services without really considering whether you need them and the amount of effort involved in setting them up and maintaining them properly.”
