Over the past year, malicious actors have discovered just how disruptive and lucrative cyber attacks can be, while experts predict cyber-crime will cost $10.5 trillion in damages by 2025. Spurred by an increased need for remote access, hackers are gaining more access to organizations’ data and systems with minimal effort through cloud servers that haven’t been configured securely.
In fact, from 2019 to 2020, there was a staggering 75% YoY increase in data breaches, according to Verizon’s 2021 Data Breach Investigations Report. The widely used annual report highlights the growing threat of cyber attacks in the cloud.
As attacks grow and become more sophisticated, cloud protection can no longer be a job relegated to IT. From building skills that help detect attacks, to backing up data regularly, cloud security is a company-wide responsibility.
Cloud’s Biggest Vulnerability? Humans.
Most breaches can be traced back to human error. Whether it’s due to poor security practices, a mis-configuration, or an intentional misuse of privileges, 85% of breaches last year involved mistakes made by employees and the third-party contractors, according to the Verizon report. As hackers follow organizations to the cloud, companies must realize that strong cloud security starts with strong people security.
“Your job is not to secure your computers but your organization. And if you’re not securing your people, you’re not securing your organization,” security expert Gabe Bassett wrote in the report.
Employees’ credentials, in particular, remain some of the most highly sought-after data types. More often than not, credentials now reside in the cloud—making it an obvious target for bad actors. More than 61% of breaches involve phishing, brute-forcing weak passwords or multi-factor authentication (MFA) bypass. And cyber criminals’ credential-stealing tactics are getting even more sophisticated. It takes just a single mediocre password to compromise an entire company’s security, highlighting the importance of everyone’s commitment to security, not just IT.
Security is a team sport. It requires a game plan, as well as company-wide buy-in and coordination. In practice, that means employees across the organization don’t just learn essential security skills (like creating strong passwords and using multi-factor authentication), but “practice” them regularly as well.
Organizing routine training sessions and internal phishing campaigns can help sharpen employees’ threat detection skills and build foundational security awareness across all aspects of the business. The goal is for team members to be prepared for different kinds of threats, build the muscle memory to detect them, and then become methodically paranoid. The goal? To improve cyber hygiene across the business.
In addition to awareness building and hands-on training, organizations should also implement periodic service account credential rotations, password managers, and other Zero Trust security guidelines to improve their identity-based security posture. A Zero Trust security principle-based architecture is the most effective way today to guarantee that only those who should have access to the cloud are granted it.
Minimizing Consequences From Inevitable Attacks
Even with flawless security training and practices, some breaches, such as ransomware attacks, often are unavoidable. According to Verizon, 13% of all breaches last year involved some form of ransomware, with more recent data pointing to an astounding 138% YoY increase in these attacks. Recent high-profile ransoms paid by organizations whose services were disrupted or compromised have shown how profitable ransomware can be, motivating hackers and giving rise to ransomware-as-a-service.
Even more difficult to prevent are attacks that involve exploiting a vulnerability in company code. While these are often the hacks that grab headlines due to the precision and level of technical expertise required, they represent just 3% of all breaches, according to Verizon. Yet, even that is too much risk for most companies today.
There are some measures companies can take to safeguard a business against technically sophisticated attacks. Implementing continuous vulnerability scanning to identify and patch major vulnerabilities, continuously analyzing up to 2,400 potentially applicable vulnerabilities a year, minimizes the chances of a high or critical vulnerability being exploited. This can be done for customers as well. But, inevitably, hackers can slip through the cracks.
That’s when a fully-tested backup and recovery plan becomes essential. A cloud backup is a copy version of a database that lives in a secondary location, and is used to keep services online even during a catastrophic event, such as equipment failure or a system compromise. Backup and recovery plans are the most crucial, foundational security control for organizations to respond to all types of incidents.
Organizations serious about avoiding downtime should opt for cloud providers that offer simple to understand and automated backup and recovery services. However, employees also play a key role in maintaining cloud backups. Organizations should have employees schedule backups to be performed daily, weekly or biweekly (depending on your needs) in order to provide a seamless database restore that keeps services up-and-running in the event of an emergency.
As Threats Grow, So Too Must Vigilance
Hackers aren’t going anywhere. On the contrary, they’re getting more creative, resourceful, and dangerous. It takes a true team to protect a business against cloud vulnerabilities and attacks in today’s distributed world. By giving all employees the resources they need to understand, prevent, and prepare for threats, organizations can help reduce—and potentially even eliminate—the most common types of cloud breaches.
(The author Joe Zhou is Chief Information Security Officer at Linode, an independent open cloud provider and the views expressed in this article are his own)