While cloud computing has become the norm for so many daily business tasks, many SMEs still feel wary about placing their own – and their customers’ – information on cloud-based servers .
These fears have been fueled by recent high-profile attacks such as the Equifax breach, when the private financial details of more than 140 million Americans were released online. Additionally, ransomware attacks such as the WannaCry and Petya outbreaks have many businesses spooked.
There’s no downplaying the seriousness of these attacks – research from Symantec shows phishing scams target more than 400 businesses a day, costing a total of $3 billion – and 46% of attacks target SMEs.
However, there are six distinct steps businesses can take when it comes to protecting their data in order to place it in the cloud:
Know what information you have
Murray Goldschmidt, chief operating officer at Sense of Security, says small businesses need to conduct an audit of the types of information they own before they can reasonably act to protect it.
“Sometimes people think they only have one class of data, like a medical database. But they may have payments data and not realise it,” he says.
It is essential that businesses consider what data they have on hand, where it comes from and how it is sent out and managed. While a database is an obvious source of information, social media accounts, mailing lists and accounts in the cloud can all be vulnerable to attack.
Have a backup strategy
Using cloud services to protect your data is one thing, but security expert and consultant Troy Hunt says it will all be for nothing if you don’t have a robust backup strategy in place.
“I was actually in a dentist’s office recently and as they were in there, they were dealing with a phishing scam. I asked, where are your backups? It turns out they didn’t have any,” says Hunt.
Businesses should ensure they have all of their data backed up as frequently as possible. This is as much for covering yourself in the case of human error as it is for data security.
While nobody wants to think they are vulnerable to attacks, or indeed human error, backups can ensure your business is protected should something happen to your information.
Implement governance, passwords and constrained privileges
The next step is to examine the cloud services you use within your own organisation and lock those down. After all, it only takes one slip for hackers to access your cloud services through a back door.
“The easiest and least cost-prohibitive thing is multi-factor authentication,” Goldschmidt advises.
Multi-factor authentications can feel very inconvenient – often involving multiple devices – however they make a security breach much less likely, making them very worthwhile.
Train people to recognise threats and restrict access
Businesses have a responsibility to train their employees on the threats of cyber attacks, and ensure their people are properly trained to recognise threats. It also important for businesses to consider just who needs access to what data.
“We see a lot of organisations giving far more privileges than they need,” Hunt says.
“Managers might say they need the access that everyone else has, but if malware gets on that machine? It’s game over.”
It’s important to assess the number of people who have access to your company’s data – in all forms – and reduce that as much as practicable.
Hunt adds that phishing attacks are one of the most common forms of attacks against small businesses. According to Symantec, phishing rates reached a 12-month high in July 2017. It is therefore important to train your staff not to click on suspicious emails, and continue that education piece regularly to remind staff of the risks.
Make sure everything is encrypted by default
Businesses need to be aware of the mobile devices within their business that could potentially lead hackers to infiltrate a cloud service. For instance, if an employee leaves a laptop or company phone on a train it could potentially be hacked to reveal user names and passwords.
The answer? Encryption.
“Microsoft builds in cryptography into the operating system, and it’s free … it’s also free on MacOS,” says Goldschmidt.
“There is no excuse why you wouldn’t encrypt your data or use things like multi-factor authentication. They’re either free or have a very low cost to entry.”
Make sure you’re insured for the unthinkable
While the ideal situation does not involve a cyber attack on your business, sometimes you can do everything right and still fall victim. Having an appropriate cyber insurance policy in place can bring confidence and security to business owners when transferring large amounts of sensitive data into the cloud. Cyber attacks or data breaches can take many forms, from deliberate attacks to technology issues or simple negligence. In December 2016, it was reported that 46% of cyber attacks target small businesses, and only 14% of small businesses rate their ability to mitigate cyber risks.
Unfortunately many of the costs involved in getting back to business after a cyber attack aren’t covered by a typical business insurance policy. A Steadfast insurance broker can recommend a policy based on your specific business needs, offering device and confidence to business owners and their customers.
Steadfast Group Limited (ASX: SDF) is the largest general insurance broker network and group of underwriting agencies in Australasia, with growing operations in Asia and Europe. The broker network has 361 general insurance brokers who receive superior market access, exclusive products and services backed by the size and scale of the Steadfast Group. Brokers in the network have access to over 160 products and services which support their business and allow them to focus on their clients' insurance and risk management needs.