All posts by mattkingswoodits

How on-demand cloud is contributing to the ransomware problem

“Attention! All your files have been encrypted.” More and more businesses are being greeted with messages such as this one, with ransomware attacks against businesses having increased threefold last year.

Advice for preventing ransomware – which is malicious software that encrypts devices or data until the owner pays a ransom in exchange for access to their data – is typically something to the effect of “back up your data off-site so you don’t have to pay the ransom.” In response, businesses may vault their data in the cloud, assuming that it is secure and they no longer have to worry about the threat of ransomware as long as the backups are up to date.

To be sure, backing up data in the cloud is a good strategy. However, rapid adoption of on-demand cloud applications could be putting an organisation’s cloud backups at risk. In fact, a recent Netskope report found that 43.7 per cent of the malware found in the cloud is carrying ransomware. Below are some of the top ways ransomware can spread via the cloud.

Employees downloading unauthorised cloud applications

Employees can easily sign up for cloud applications, as many cloud services by nature enable users to bypass company and country security policies. When employees open accounts with unauthorised cloud services – whether they are software services, file-sharing applications or payment processors, IT staff are not able to monitor the apps appropriately and ensure proper security measures are implemented. This lack of security monitoring dramatically increases the likelihood of ransomware being introduced to the network. What employees may not realise is that the increased possibility of new security breaches essentially negates any gains made by the cloud applications. Worse, if the cloud provider itself is attacked, all its customers could be affected as well.

To put the risk into perspective, 1 in 10 of the enterprises monitored by Netskope yielded ransomware-infected files in sanctioned cloud apps. Although the report did not cover unsanctioned applications, it stands to reason that ransomware would be even more rampant in these, as they are not monitored by IT staff.

Syncing and sharing

Malware and malicious files and links can spread rapidly through an organisation, and more sophisticated ransomware is now using the cloud to spread. Imagine an employee opens a suspicious email attachment and downloads ransomware to their computer, encrypting all the files in their “Documents” folder. The employee has granted a file-sharing application access to this folder, and the application automatically syncs the infected files to the cloud account. Multiple other employees’ computers are also synced with the cloud folder containing the malware, and the moment they click on any of the infected files, the ransomware spreads to their systems as well.

One new variant of ransomware in particular, called Virlock, uses this method to spread. Unlike other ransomware strains, it does not tell the user their device has been infected by ransomware. Instead, it displays an official-looking message claiming to be an anti-piracy warning from the U.S. Federal Bureau of Investigation. The message demands the payment of a fine to avoid incarceration – a tactic designed to coerce businesses into paying the ransom.

Using personal devices for work

Bring your own device (BYOD) is ubiquitous now. Odds are, employees are using their personal devices for work whether or not BYOD is sanctioned by their employer. Unfortunately, access to data anytime, anywhere means more entrypoints into the network, and employees are typically less vigilant about security when it comes to their personal devices and are more likely to connect to public networks.

When employees fail to observe proper security measures, this can result in both their personal data and their employer’s data being held hostage. With 4 per cent of all mobile devices containing malware, ransomware is a real possibility. And, of course, this risk is exacerbated if the employee uses sync-and-share applications on their mobile device.

How can businesses prepare for these threats?

Businesses should continue to back up data both on-site and in the cloud, but with hackers taking advantage of the on-demand nature of the cloud to perpetrate ransomware attacks, businesses must take additional protection measures.

The first line of defence against ransomware is employee education and accountability. To encourage employee engagement, businesses should emphasise the following key points when training employees:  

  • Exercising caution when using personal devices for work not only protects corporate data but employees’ personal data as well. To keep information safe, employees should be encouraged to avoid connecting to public WiFi networks, be wary of clicking on links in emails and notify their IT department immediately if they suspect their device has been infected by ransomware.
  • Sensitive employee information is stored on the company network as well. Once malware infiltrates the corporate network, it can spread to other areas – including human resources files containing employees’ sensitive information. Employees can do their part to protect any data stored on the corporate network by working with IT administrators to understand how to identify phishing emails (e.g. typos, misspelled words and mismatched domain names). Additionally, they should be instructed to only download content or software from trusted sources and immediately run all software updates when prompted.
  • They learn valuable cybersecurity skills to apply in their personal lives. Do they know the telltale signs of a phishing email? Or what type of password is most secure? Or whether putting off computer updates really hurts anything? Knowing the answers to questions such as these is key to being security conscious at work, but they’re just as applicable at home.

Now that ransomware can spread more rapidly than ever before via the cloud, generating awareness of how to prevent ransomware is essential. Employees must be educated on how their security habits can negatively impact the organisation ‒ and even their personal data as well. The time to build awareness is now – not when the hacker delivers that dreaded message: “Attention! All your files have been encrypted.”

How on-demand cloud is contributing to the ransomware problem

“Attention! All your files have been encrypted.” More and more businesses are being greeted with messages such as this one, with ransomware attacks against businesses having increased threefold last year.

Advice for preventing ransomware – which is malicious software that encrypts devices or data until the owner pays a ransom in exchange for access to their data – is typically something to the effect of “back up your data off-site so you don’t have to pay the ransom.” In response, businesses may vault their data in the cloud, assuming that it is secure and they no longer have to worry about the threat of ransomware as long as the backups are up to date.

To be sure, backing up data in the cloud is a good strategy. However, rapid adoption of on-demand cloud applications could be putting an organisation’s cloud backups at risk. In fact, a recent Netskope report found that 43.7 per cent of the malware found in the cloud is carrying ransomware. Below are some of the top ways ransomware can spread via the cloud.

Employees downloading unauthorised cloud applications

Employees can easily sign up for cloud applications, as many cloud services by nature enable users to bypass company and country security policies. When employees open accounts with unauthorised cloud services – whether they are software services, file-sharing applications or payment processors, IT staff are not able to monitor the apps appropriately and ensure proper security measures are implemented. This lack of security monitoring dramatically increases the likelihood of ransomware being introduced to the network. What employees may not realise is that the increased possibility of new security breaches essentially negates any gains made by the cloud applications. Worse, if the cloud provider itself is attacked, all its customers could be affected as well.

To put the risk into perspective, 1 in 10 of the enterprises monitored by Netskope yielded ransomware-infected files in sanctioned cloud apps. Although the report did not cover unsanctioned applications, it stands to reason that ransomware would be even more rampant in these, as they are not monitored by IT staff.

Syncing and sharing

Malware and malicious files and links can spread rapidly through an organisation, and more sophisticated ransomware is now using the cloud to spread. Imagine an employee opens a suspicious email attachment and downloads ransomware to their computer, encrypting all the files in their “Documents” folder. The employee has granted a file-sharing application access to this folder, and the application automatically syncs the infected files to the cloud account. Multiple other employees’ computers are also synced with the cloud folder containing the malware, and the moment they click on any of the infected files, the ransomware spreads to their systems as well.

One new variant of ransomware in particular, called Virlock, uses this method to spread. Unlike other ransomware strains, it does not tell the user their device has been infected by ransomware. Instead, it displays an official-looking message claiming to be an anti-piracy warning from the U.S. Federal Bureau of Investigation. The message demands the payment of a fine to avoid incarceration – a tactic designed to coerce businesses into paying the ransom.

Using personal devices for work

Bring your own device (BYOD) is ubiquitous now. Odds are, employees are using their personal devices for work whether or not BYOD is sanctioned by their employer. Unfortunately, access to data anytime, anywhere means more entrypoints into the network, and employees are typically less vigilant about security when it comes to their personal devices and are more likely to connect to public networks.

When employees fail to observe proper security measures, this can result in both their personal data and their employer’s data being held hostage. With 4 per cent of all mobile devices containing malware, ransomware is a real possibility. And, of course, this risk is exacerbated if the employee uses sync-and-share applications on their mobile device.

How can businesses prepare for these threats?

Businesses should continue to back up data both on-site and in the cloud, but with hackers taking advantage of the on-demand nature of the cloud to perpetrate ransomware attacks, businesses must take additional protection measures.

The first line of defence against ransomware is employee education and accountability. To encourage employee engagement, businesses should emphasise the following key points when training employees:  

  • Exercising caution when using personal devices for work not only protects corporate data but employees’ personal data as well. To keep information safe, employees should be encouraged to avoid connecting to public WiFi networks, be wary of clicking on links in emails and notify their IT department immediately if they suspect their device has been infected by ransomware.
  • Sensitive employee information is stored on the company network as well. Once malware infiltrates the corporate network, it can spread to other areas – including human resources files containing employees’ sensitive information. Employees can do their part to protect any data stored on the corporate network by working with IT administrators to understand how to identify phishing emails (e.g. typos, misspelled words and mismatched domain names). Additionally, they should be instructed to only download content or software from trusted sources and immediately run all software updates when prompted.
  • They learn valuable cybersecurity skills to apply in their personal lives. Do they know the telltale signs of a phishing email? Or what type of password is most secure? Or whether putting off computer updates really hurts anything? Knowing the answers to questions such as these is key to being security conscious at work, but they’re just as applicable at home.

Now that ransomware can spread more rapidly than ever before via the cloud, generating awareness of how to prevent ransomware is essential. Employees must be educated on how their security habits can negatively impact the organisation ‒ and even their personal data as well. The time to build awareness is now – not when the hacker delivers that dreaded message: “Attention! All your files have been encrypted.”

How to keep downtime to a minimum with the right cloud computing support

(c)iStock.com/fazon1

The cloud has transformed the way we do business today, improving infrastructure scalability and cost models for everything from software to data storage to disaster recovery. As with any IT solution, however, cloud computing isn’t without its risks.

In 2012, the International Working Group on Cloud Computing Resiliency (IWGCR) claimed that cloud downtime had cost £45 million over five years. Although a new five-year report on cloud outage costs hasn’t yet been released, we do know that application downtime is costing enterprises across the globe an estimated $16 million (approximately £12.9 million) annually.

So how can businesses reap the benefits of the cloud while minimising the risk of downtime? The solution is having the right support. The following steps are key starting points for mitigating cloud risk:

Assess cybersecurity

Symantec reported that, in 2015, there was a new zero-day vulnerability discovered every week. Not surprisingly, spear-phishing campaigns targeting employees increased 55%, and ransomware increased 35%.

Technology is constantly evolving to thwart these attacks, but security software cannot be treated as a set-it-and-forget-it solution. It must be complemented with monitoring, patch management and routine maintenance.

The challenge is that nearly half of businesses admit that there is a talent shortage in security. ESG research indicated that 46% of organisations say that, in 2016, they have a “problematic shortage” of cybersecurity skills, while a surprising third (33%) admitted their biggest deficiency was in cloud security specialists. Based on these figures, incident detection and responses to cloud-based cyber threats would undoubtedly be a problem for those organisations, as they have inadequate staff available to manage any cybersecurity risks that may arise.

This is a major problem, as malware infections are commonly the result of inadequate patching, carelessness, misconfiguration, human error or negligence. These errors can have costly ramifications if malware infiltrates the network and corrupts backup data.

As such, businesses might require a managed firewall service that can keep their network secure while freeing up their staff to focus on day-to-day responsibilities. Different organisations will require different levels of support, but one advantage of a cloud-based firewall service is that it is scalable and can be changed to meet ever-increasing demand and usage, both now and into the future.

Regardless of whether cybersecurity is managed in-house or outsourced, it should feature advanced security capabilities such as intrusion detection and prevention, and a safe tunnel for remote employee access. It is imperative that these features integrate with one another to allow for timely incident response or prevention. If data is breached or a system goes down, time is of the essence.

Make a data backup and recovery plan

If an organisation’s facility is impacted, it must have a plan for how to access its data. Businesses using disaster recovery as a service (DRaaS) have the advantage of being able to access their backups from anywhere, even if their primary facility has been affected. As capacity grows, they have the potential to leverage various cloud models – private, community and public cloud – depending on the use case. When recovery is necessary, stored data can be restored to either virtual or physical machines.

What many cloud providers tend to de-emphasise, however, is that while the environment might be available, bandwidth limitations can extend recovery times, especially when recovering a large amount of data and applications. For this reason, many businesses are complementing cloud backups with an on-site storage appliance, which allows data to be recovered within hours or even minutes.

If the business’s facility is impacted, recovering the data stored on the appliance would require either accessing an alternate backup stored at an off-site location or waiting until the business regains access to the facility, assuming it’s still intact.

With the right support, however, a hybrid approach to disaster recovery reduces the overall risk of downtime. Some DRaaS providers, but not all, can assist with recovering the data and applications stored on the appliance through the cloud. Others will provide the appliance but leave maintenance up to the client. The key is to know upfront what level of support the vendor can provide and plan accordingly.

Ensure ongoing monitoring

Even if a business has invested in top-of-the-line cybersecurity solutions and backed up data to multiple targets, the organisation still risks downtime if the entire environment isn’t properly monitored. To assess whether or not a business has the resources required for adequate oversight of the environment, it should consider the following questions:

  • Is there any period of time when the environment is unmonitored (e.g. during shift changes or holidays)?
  • Do any on-site IT personnel lack the skills required to manage software settings, remediate failures, and so on?
  • When considering past downtime events or security threats, were the systems always brought online or the threats mitigated within the required time frame?

The greater the number of yes responses, the greater the risk of downtime. Some businesses might indeed have the resources required for ongoing monitoring. For those that don’t, it is worth considering outsourcing cybersecurity monitoring and DRaaS. Vendors offering these services should provide service level agreements (SLAs), 24/7/365 support and the services of qualified engineers.

Cloud computing offers the potential for greater business agility, but unless a business has the right support, it is all but guaranteed to experience downtime. 

Read more: Top 10 disasters reaffirm need for cloud business continuity strategy

How to keep downtime to a minimum with the right cloud computing support

(c)iStock.com/fazon1

The cloud has transformed the way we do business today, improving infrastructure scalability and cost models for everything from software to data storage to disaster recovery. As with any IT solution, however, cloud computing isn’t without its risks.

In 2012, the International Working Group on Cloud Computing Resiliency (IWGCR) claimed that cloud downtime had cost £45 million over five years. Although a new five-year report on cloud outage costs hasn’t yet been released, we do know that application downtime is costing enterprises across the globe an estimated $16 million (approximately £12.9 million) annually.

So how can businesses reap the benefits of the cloud while minimising the risk of downtime? The solution is having the right support. The following steps are key starting points for mitigating cloud risk:

Assess cybersecurity

Symantec reported that, in 2015, there was a new zero-day vulnerability discovered every week. Not surprisingly, spear-phishing campaigns targeting employees increased 55%, and ransomware increased 35%.

Technology is constantly evolving to thwart these attacks, but security software cannot be treated as a set-it-and-forget-it solution. It must be complemented with monitoring, patch management and routine maintenance.

The challenge is that nearly half of businesses admit that there is a talent shortage in security. ESG research indicated that 46% of organisations say that, in 2016, they have a “problematic shortage” of cybersecurity skills, while a surprising third (33%) admitted their biggest deficiency was in cloud security specialists. Based on these figures, incident detection and responses to cloud-based cyber threats would undoubtedly be a problem for those organisations, as they have inadequate staff available to manage any cybersecurity risks that may arise.

This is a major problem, as malware infections are commonly the result of inadequate patching, carelessness, misconfiguration, human error or negligence. These errors can have costly ramifications if malware infiltrates the network and corrupts backup data.

As such, businesses might require a managed firewall service that can keep their network secure while freeing up their staff to focus on day-to-day responsibilities. Different organisations will require different levels of support, but one advantage of a cloud-based firewall service is that it is scalable and can be changed to meet ever-increasing demand and usage, both now and into the future.

Regardless of whether cybersecurity is managed in-house or outsourced, it should feature advanced security capabilities such as intrusion detection and prevention, and a safe tunnel for remote employee access. It is imperative that these features integrate with one another to allow for timely incident response or prevention. If data is breached or a system goes down, time is of the essence.

Make a data backup and recovery plan

If an organisation’s facility is impacted, it must have a plan for how to access its data. Businesses using disaster recovery as a service (DRaaS) have the advantage of being able to access their backups from anywhere, even if their primary facility has been affected. As capacity grows, they have the potential to leverage various cloud models – private, community and public cloud – depending on the use case. When recovery is necessary, stored data can be restored to either virtual or physical machines.

What many cloud providers tend to de-emphasise, however, is that while the environment might be available, bandwidth limitations can extend recovery times, especially when recovering a large amount of data and applications. For this reason, many businesses are complementing cloud backups with an on-site storage appliance, which allows data to be recovered within hours or even minutes.

If the business’s facility is impacted, recovering the data stored on the appliance would require either accessing an alternate backup stored at an off-site location or waiting until the business regains access to the facility, assuming it’s still intact.

With the right support, however, a hybrid approach to disaster recovery reduces the overall risk of downtime. Some DRaaS providers, but not all, can assist with recovering the data and applications stored on the appliance through the cloud. Others will provide the appliance but leave maintenance up to the client. The key is to know upfront what level of support the vendor can provide and plan accordingly.

Ensure ongoing monitoring

Even if a business has invested in top-of-the-line cybersecurity solutions and backed up data to multiple targets, the organisation still risks downtime if the entire environment isn’t properly monitored. To assess whether or not a business has the resources required for adequate oversight of the environment, it should consider the following questions:

  • Is there any period of time when the environment is unmonitored (e.g. during shift changes or holidays)?
  • Do any on-site IT personnel lack the skills required to manage software settings, remediate failures, and so on?
  • When considering past downtime events or security threats, were the systems always brought online or the threats mitigated within the required time frame?

The greater the number of yes responses, the greater the risk of downtime. Some businesses might indeed have the resources required for ongoing monitoring. For those that don’t, it is worth considering outsourcing cybersecurity monitoring and DRaaS. Vendors offering these services should provide service level agreements (SLAs), 24/7/365 support and the services of qualified engineers.

Cloud computing offers the potential for greater business agility, but unless a business has the right support, it is all but guaranteed to experience downtime. 

Read more: Top 10 disasters reaffirm need for cloud business continuity strategy

Is on-site or remote IT support best for you? A comparison guide

(c)iStock.com/monts11

A new digital era is here, and cloud-based technologies are colliding with traditional IT systems and hardware, driving rapid changes to infrastructure and business requirements. As organisations realise the challenges of staying apace of technological developments to meet customer demands, IT outsourcing is gaining traction. During the 2015-2019 period, Research and Markets estimates the global IT outsourcing market will grow at a CAGR of 5.84%.

The spectrum of outsourced IT support options ranges from remote support to a dedicated on-site presence. If you’re considering IT outsourcing, how do you know which option works best for your business?

Remote support

As the name suggests, remote support involves the use of remote control tools (either permanent or web based). Server support tends to use permanently installed agents to provide remote control without a customer presence. Remote support may also include services running from the cloud, which can range from cloud-hosted infrastructure as a service (IaaS) to hosted software solutions to full disaster recovery as a service (DraaS). From a support point of view, cloud servers are typically treated as normal customer servers, with the difference being that the cloud hosting company supports the hardware (which is normally virtual) and the IT support provider supports everything running on the hardware (e.g. operating systems).

Remote support usually comes at a lower cost, as engineers can work efficiently without incurring travel expenses. However, lower investment doesn’t necessarily equal less engineer availability. Some IT support vendors are able to employ 24/7 support personnel, giving you the option of round-the-clock support.

One of the drawbacks of remote support is that it depends on the connectivity of the permanently installed agent. If the device has no network connection or fails to boot, then remote support is difficult to provide without the addition of remote management cards. If the customer receives remote support via the phone, there’s also the risk of fraud, since criminals have been known to pose as support engineers to gain access to an organisation’s systems. Before granting access to any system, it’s important to establish that the engineer on the phone is from the company providing support.

On-site support

IT support provided by an engineer physically on the customer’s site can be broken down into two categories:

– Remotely based on-site support. This method involves the support engineer travelling to the customer’s site to perform the required work.

– Dedicated on-site support. This method entails a support engineer being directly embedded at the customer’s facility, working independently or alongside the customer’s IT department. Dedicated support can be provided full time, or part time as required.  

Unlike remote support, on-site support doesn’t rely on device connectivity or management interfaces. Support can be provided on all devices, both with and without connectivity issues, including devices failing to boot. Additionally, an engineer can more easily troubleshoot faults when sat in front of the device. Some issues can even be diagnosed by the sound a machine is making rather than an actual problem on the screen.

Of course, having field engineers travel on-site will add additional costs to the support contract. You can minimise these expenses by ensuring you work with an IT support provider that has engineers located near each location requiring support. 

Support will be most expensive if you choose to utilise a dedicated on-site engineer, as that person has to be paid whether or not their services are required (for this reason, dedicated support is less common than other support methods).

Because on-site support relies on the customer being available to work with the engineer, out-of-hours support can be difficult and normally includes an additional fee to cover overtime.

Which is right for you?

On-site support is not a one size fits all solution. Every organisation has its own requirements, which are influenced by industry, company size, staff skills and many more factors.

Generally speaking, however, remote support is a feasible option for companies of all sizes. Larger companies will often have their own IT staff who provide the on-site presence, meaning a remote support contract is a better fit (although these companies do often outsource their help desk or first-line support as well).

Smaller customers sometimes try to cut costs by only contracting remote support, but if something goes wrong, they often need someone to go on-site, especially if they have servers. For this reason, some small customers will pay for site visits as needed. Even if the customer is using servers provisioned by an external cloud provider – and IaaS is popular with small- to medium-sized businesses – an on-site support contract is still an option. The on-site portion would simply be provided for the workstations and other infrastructure (network switches, storage devices, etc.). The ideal scenario, however, is to receive cloud services and IT support from a single supplier.

Many organisations, regardless of size, occasionally find it necessary to contract separately charged project work for networking, cabling, server infrastructure and hardware projects.

A good IT support provider is flexible in its approach and will assist you in fixing problems, while also acting as a source of advice for improving your IT environment so you can meet technology demands and satisfy your customers’ needs. 

Can data transparency be the future of outsourcing?

(c)iStock.com/4X-Image

The benefits of storing data in the cloud are clear. However, as businesses are beginning to closely examine what having data in the cloud entails, they’re discovering that their relationships with cloud vendors are sometimes, well, cloudy.

In a 2015 Forrester Consulting survey, more than 60% of businesses said issues with transparency were stalling further expansion into the cloud. These organisations are justified in being wary, because knowing where data is going and how it is being treated is paramount.

I’ll explain why the next wave of successful cloud providers will compete on these issues rather than price, product or market.

Why is location important?

If backups are vaulted in the wrong geographic location, businesses limit their ability to rebound from an incident within the necessary recovery time objectives (RTOs), due to latency concerns and bandwidth cost. The goal of strategically selecting where data will be vaulted is to minimise organisational risk as much as possible. To achieve this goal, businesses need to have two separate RTOs in place for operational issues that are specific to the individual environment (such as a server outage), and regional disasters.

A business would likely require a lower RTO for an operational issue, which would allow for local data vaulting, whereas a regional disaster could either have an equal or less aggressive RTO, simply because customers view events affecting several providers in a given area differently to an event affecting a single entity only. Unfortunately, many organisations focus solely on addressing operational RTOs in the disaster recovery (DR) planning process, which is catastrophic in a widespread event.

One of the benefits of the cloud is that it allows businesses to achieve a solution that addresses both operational and DR RTOs – they just need to know where the cloud’s data centres terminate. The important thing is to have their data as close as possible, but far enough away to ensure there’s not a common risk between geographies. The further apart locations are, the more availability and recovery challenges there are – and of course cost and latency (affecting communications, user experience, and so on).

It’s also important to know where data is stored, as compliance obligations – whether explicit or implicit – sometimes restrict the flow of data across EU borders, and many cloud-based solutions have multiple back-end data centres spanning multiple regions.

Knowing where their data is being sent allows businesses to dictate risk aversion or assumption. To win new outsourcing deals, cloud providers will be upfront about where an organisation’s data will be sent. Additionally, the provider will demonstrate that it can meet the client organisation’s RTOs by offering a service level agreement (SLA) that both IT and executive management can understand.

What data handling responsibilities must a business meet?

One issue that complicates the matter of data transparency is the fact that the data businesses manage isn’t just data that’s critical to operations – it’s personal data entrusted to the business by its employees and customers.

Many organisations have to adhere to regulatory requirements which require businesses to handle sensitive data in accordance with a specific set of standards. Under the EU’s General Data Protection Regulation (GDPR), for example, organisations handling personal data belonging to EU members will be responsible for ensuring that information is protected and are responsible for breaches of this data. The GDPR promises citizens the right for data to be forgotten, easier access to one’s data and a right to data portability. This responsibility extends to third-party cloud providers, which is why transparency into service providers’ data management practices is crucial.

In the wake of Brexit, UK businesses might expect that GDPR is no longer relevant, but they’d be mistaken. GDPR analyst Chiara Rustici is one of many pundits who argue that UK companies should continue forging a path toward GDPR compliance. The reason, she argues, is that GDPR will affect UK businesses serving EU customers. GDPR isn’t so much about where the company handling the data resides, but rather where the person to whom the data belongs resides.

Even if GDPR were removed from the picture, UK businesses would still need to be aware of how their and their customers’ data is being handled in the cloud. Some businesses, for example, have mandated data retention time frames for specific types of data, such as the six-year retention period for payroll information, as required by the Taxes Management Act 1970.

For cloud vendors to reassure businesses that they can protect sensitive data, they’ll emphasise their encryption and archival practices. In the event that an individual invokes their right to be forgotten as per GDPR, cloud providers should be able to identify all the places this data resides and provide the client organisation with a written record of the applicable records’ destruction.

Again, successful cloud vendors will be those which back all of the above guidelines with an SLA that includes predefined, clearly outlined terms.

How much does price matter?

Price has long been touted as a benefit of moving to the public cloud, and public cloud providers are continually competing for customers by slashing prices. In 2013, for example, RightScale reported that the four public cloud providers (Amazon Web Services, Azure, Google and Rackspace) rolled out a total of 25 price drops, up from 22 in 2012. When it comes to overall cost reductions, the providers are in a constant battle. In 2012, Azure had the most cuts, only to be edged out by Amazon in 2013. These price wars have continued into 2016. However, this so-called race to the bottom draws the focus away from the more important issue of data transparency.

Today, while cost is important, it’s not the top driver for cloud adoption. Research released by 451 Research earlier this year indicated that customers are concerned with cloud providers’ ability to provide value in terms of managed services, especially with regulations requiring strict data protection measures. In Europe, 451 Research assigned customers a 12 per cent Cloud Commodity Score (CCS), which measures price sensitivity – the higher the score, the greater the impact of price on adoption.

If a cloud provider is unable to meet an organisation’s need for data security and comprehensive support, the organisation won’t hesitate to invest more in a provider that can meet its needs. For cloud vendors to be able to win more deals, they should focus on value-added services – not cost.

Data transparency is a legitimate concern for businesses, but it needn’t be a barrier to cloud expansion. Competitive cloud providers will be upfront about their data handling practices and work with their clients to help them fulfil their compliance requirements.

Why cloud security best practices mean engagement from vendors and employees

(c)iStock.com/StockFinland

Ransomware may be the hot topic in the news at the moment, but human error is a greater threat. Human error, in fact, is often the reason ransomware is able to infiltrate a network (by staff members clicking phishing links, for example). It’s also one of the greatest causes of data loss in the cloud. The first part of this series discussed how cloud vendors, shadow IT and lack of employee cybersecurity education can increase the risk of human error. But how do you mitigate these threats? To start, follow the advice below.

Ensure your cloud providers are equipped to fulfil your compliance requirements

If a vendor will be handling sensitive data in the cloud, first thoroughly vet the vendor and ensure that the solution is adequately equipped to adhere to the requirements of the EU’s General Data Protection Regulation (GDPR). In addition to requiring companies handling personal data to report data breaches, the GDPR promises citizens the right for data to be forgotten, easier access to one’s data and a right to data portability.

What this means for you is that you need to know how your customers’ personal data is processed and be able to communicate that information clearly. You also need to ensure data is available so it can be easily transmitted between service providers (another reason you must have reliable backups) – unless an individual invokes their right to be forgotten, in which case you need to be aware of everywhere that data is stored and delete it. In the event a vendor accidentally deletes data, you need to know how the service provider plans to remedy the situation (the below section addresses this point further). (Note that these are only some of the requirements of GDPR. For more about Data Protection Reform, click here.)

Files should remain encrypted in transit and at rest, regardless of whether the data is subject to the requirements of the GDPR.

Review vendor SLAs

It’s important to verify that the vendor offers service level agreements (SLAs) that provide adequate recourse in the unfortunate event that data is lost. Be aware that SLAs are not equal to terms of service.

Whereas a vendor can change its terms of service without notice, they can’t change the terms of an agreement you’ve signed without your being aware of it. When reviewing an SLA, ensure that the vendor can restore your data within your recovery time objectives (RTOs). For example, Lukas Hospital in Neuss, Germany, had complete backups of all systems in place, but when it was plagued with TeslaCrypt 2.0 ransomware, the hospital estimated that it would take up to 48 hours before its IT environment was fully functional again. As a result, 20 per cent of the hospital’s surgeries had to be rescheduled, and less critical care had to be temporarily shifted to other hospitals.

Backups are the key to protecting yourself from data loss, but backup services provided by a vendor must be backed by SLAs and must meet your RTOs.

Educate employees about security best practices

To protect against threats, employees need to be aware of:

  • Who might view data. In addition to verifying that they’re sending data to the appropriate recipient, they should consider who else might be able to access the information. If uploading data to the cloud or placing it in a shared folder on a local area network, are there others who also have access to it? Are the files encrypted to deter unauthorised access to the data?
  • How to identify phishing emails. Instruct employees to view emails with a critical eye. Warning signs include poor design, incorrect spelling and grammar, requests for personal details, suspicious attachments and URLs that don’t match the company’s primary domain (to view a URL without clicking a link, users can hover over the link with their cursor).
  • Procedures for responding to a suspected ransomware attack. If employees encounter any suspicious activity, instruct them to notify IT. If a device is affected by ransomware, they should know to stop working on the affected device immediately.
  • Why it’s important to apply security patches. New security threats are continually emerging. In response to these threats, hardware and software developers create security patches that protect the device or application. Employees need to apply these updates promptly to ensure the company’s data and network are secure.
  • How to create secure logins. Encourage employees to create complex passwords that involve special characters, numbers and a mix of lower- and uppercase letters. Whenever possible, use two-factor authentication to increase security.

Taking these precautions reduces the chance of unauthorised access to data as well as ransomware taking your data hostage.

Create a culture of security

Your best defence against security breaches and data loss is creating a culture of security that begins from the top down and is supported by clear, enforceable policies.

Creating a data handling policy should begin with classifying data according to how sensitive it is. Personally identifiable details and health information, for example, should only be accessible to those who need that information to carry out their job duties. Set in place clear consequences for access to and use of that data outside of a person’s job duties.

You’ll also want to put parameters on how users access data. One of the greatest threats to data is employees who can access company files, databases and applications whenever they want, using whatever device they please. Although most UK businesses (95 per cent, according to a BT study) permit bring your own device (BYOD) practices, security is sorely lacking. BT’s research shows 41 per cent of organisations have suffered a mobile security breach, 33 per cent grant users unbridled access to the internal network, and 15 per cent lack confidence that they have the resources to prevent a breach.

It’s important to establish a BYOD policy that addresses issues such as data security, remote management, data transfer, backups, data wipe and technical support (office or field based). If you work with a managed services provider for your IT support, check to see if the vendor can assist with developing and supporting your BYOD program.

Creating a security culture where the IT department strives to address security issues while acting as a trusted adviser will also reduce the risk of shadow IT, as users will be more likely to enlist IT’s help in selecting and implementing cloud solutions.

There’s no denying that cybercriminals are targeting businesses with more sophisticated and frequent attacks – but you can’t afford not to address the threats within your own walls. By holding cloud vendors accountable through SLAs, reigning in shadow IT, educating employees and creating a culture of security, you can reduce your risk of cyber threats and minimise data loss. 

Ransomware may be a big culprit for data loss – but it’s the wrong fall guy

(c)iStock.com/Big_Ryan

With researchers seeing a 3500% increase in the use of net infrastructure which criminals use to run ransomware campaigns, it’s not surprising that ransomware has been making big headlines.

The media laments the growing rings of cyber criminals that launch ransomware threats, but there’s another culprit that tends to slip under the radar: people like you and me. Sure, we’re not instigating the campaign – that’s on the hacker – but employees often let the bad actor through the front door, so to speak. Employees access an insecure web page, download infected software or click a phishing link in an email. In fact, of all the data breaches reported in the UK during Q1 2016, ICO data reveals that 62% were caused by human error.

Worse, ransomware and other incidents related to human error are putting businesses at a greater risk of data loss. In a Foursys survey of 400 UK-based IT managers, 11% of those that had reported security breaches caused by threats such as ransomware said they had experienced data loss as a result. According to research by the University of Portsmouth, fraud and human error are costing UK organisations £98.6 billion a year. Unfortunately, that number is likely even larger, as it doesn’t include instances that have gone undiscovered or unreported.

And while some might think that storing data in the cloud puts it out of reach of ransomware, they’re wrong. Ransomware has the ability to encrypt files on hardware and cloud services alike. And, of course, data in the cloud is always susceptible to human error.

If despite your best efforts, an employee or vendor deletes your data, having current backups is the key to restoring the files without a severe impact on your business. If your systems are taken hostage by ransomware, data backups are the key to being able to recover access to your files without paying the ransom (which is never recommended, as it only encourages hackers).

This two-part series will discuss some of the common ways human error can lead to data loss or ransomware infections and address how your business can prepare for these threats.

Cloud provider risks

Under the EU’s General Data Protection Regulation (GDPR), all organisations handling personal data will be responsible for ensuring that information is protected and are responsible for breaches of this data. This responsibility extends to third-party cloud providers, which is why vendor due diligence is critical.

Non-compliance can result in fines of as much as 5% of annual worldwide turnover or €1 million, whichever is greater. With such high stakes, it’s important to ensure vendors have proper policies and procedures in place to ensure the availability and security of any data they process.

You might find that the vendor’s terms of service meet your needs, but be aware that terms of service can change without notice. That’s what happened to one man, a distinguished lecturer for a content network, who woke up one day to discover that his cloud vendor had deleted more than five years of archives for 15 retired machines. After lengthy back-and-forth discussions with the vendor’s tech support, he discovered that a change in the corporation’s retention policy – of which he’d been unaware – had allowed the backups to be deleted. They were eventually restored, but if he hadn’t been vigilant, he very well could have lost his backups permanently.

Shadow IT

Human error and ransomware alone are enough of a risk to put businesses on high alert, but shadow IT exacerbates this threat. Research from Cisco reveals that CIOs estimate that their organisation has 51 public cloud applications in use, but the actual number is more like 730. What happens if employees upload restricted data to an unauthorised cloud application – such as Google Drive, Dropbox and Evernote –  and that application experiences a breach or the proper encryption is not used?

If your employees are uploading files to an unauthorised cloud or using software as a service (SaaS), that not only increases your security risk; it also increases your risk of data loss, as that data isn’t being backed up.

SaaS, in fact, is one of the most prevalent threats to data loss in the cloud. A recent study found that almost 80% of respondents had lost data in their organisations’ SaaS deployments. The top causes were accidental deletion (41%), migration errors (31%) and accidental overwrites (26%).

Lack of internal awareness of security best practices

One of the major culprits of human error is sheer carelessness or ignorance of how data should be handled. In the ICO data mentioned above, the majority of incidents attributable to human error included security gaffes such as posting, emailing or faxing data to the wrong recipient. Additionally, a disturbing number of employees are falling victim to phishing attempts. According to research from Verizon, people opened 30% of phishing messages – that’s 7% greater than last year – and of those, 13% also opened the attachment, introducing the malware to the network.

Many instances of cloud data loss and ransomware infections can be classified into one of the above human error-related categories. But simply being aware of these threats isn’t enough.

This is one of a two part series: the second piece next week will examine mitigating cloud vendor risks, shadow IT and lack of cybersecurity awareness.

Opinion: How to achieve a solid business continuity strategy

(c)iStock.com/natthawon

Over the last 12 months, the UK has seen floods and fires upend businesses of all sorts – from hospitals, to factories, to recycling centres. Commuters faced their own significant set of challenges, with incidents such as the closure of the Forth Road Bridge and the Heathrow Airport power cut, which diverted more than 130 flights. Meanwhile, the Met Office has plenty of opportunities to test the new convention of naming storms, with the likes of Katie, Abigail and Desmond wreaking havoc on the nation.

These are a few of the findings of new research from managed services provider IT Specialists (ITS). Inspired by the Business Continuity Institute’s Business Continuity Awareness Week (BCAW) 2016, from May 16 to 20, ITS looked at incidents that caused significant issues for UK businesses. With the theme of BCAW being return on investment (ROI), ITS examined the ROI of having a business continuity plan – particularly one containing a disaster recovery as a service (DRaaS) solution – in the aftermath of incidents like the ones covered in the research.

ITS discovered that regardless of whether the incident was a cataclysmic tropical storm or a seemingly mundane burst pipe, disasters have the ability to cause billions of pounds in damage. Flooding is the most expensive and prevalent issue to affect the UK. Accountancy firm KPMG has estimated that the total cost to the UK’s insurance sector, businesses, individuals, communities and government as a result of winter 2015-16 flooding will top out at £5.8 billion.

Natural disasters don’t discriminate based on business size – so SMBs shouldn’t write off business continuity as just something large enterprises do

However, at least some of these costs can be avoided by businesses with a solid business continuity strategy. Without a proper plan in place, there is a risk of negative consequences such as lost inventory, reduced productivity due to employees being unable to work remotely, property damage, and the all-important revenue loss.

Disasters such as these don’t discriminate based on business size, so SMBs shouldn’t write off business continuity planning as something large enterprises do. Likewise, large organisations shouldn’t assume insurance coverage is a sufficient business continuity plan. After all, no insurance policy will help employees continue working if they don’t have access to business-critical applications. To gain the most ROI from business continuity, businesses need to form a cloud-based data backup strategy, give employees network access, set guidelines for personal device use, provision a telephony solution, have a plan for Internet outages, and set up an alternate workspace.

A poster child for business continuity is an accountancy firm which was affected by the fire in Holborn in spring 2015. The event forced 5,000 people to evacuate and cut off gas and electric supplies from thousands of properties. The firm itself had to evacuate 70 staff, but it has already moved its servers to the cloud, so employees were able to keep on working from another office or their homes using a remote login system.

Investing in forward planning can save valuable time, protect the organisation’s revenue, and preserve its customer base. Businesses need to formulate a business continuity programme to identify inefficient processes that cost the organisation money on a daily basis and can prove a barrier to disaster recovery.

Don’t let bad weather cloud your plans for recovery

(c)iStock.com/solarseven

We all like to complain about services going down when bad weather strikes. The ‘wrong kind of snow’ can wreak havoc with trains and the road network can get snarled up fast, while power lines can come down in more remote areas. Where are the backup and recovery plans, we ask – but could our own customers or internal sponsors and colleagues be saying the same about us if we fail to deliver as we should?

The uncomfortable truth is many smaller businesses are unprepared for business continuity in the event of a disaster. The Federation of Small Businesses (FSB) has recently found that three out of five (59%) of the small businesses they questioned did not have a plan in place to deal with extreme weather conditions such as floods and snowstorms.

That’s just one of many stats that doesn’t seem to have improved much over the past few years. Another survey, by telecoms provider Daisy Group, has suggested that despite the boom in mobile technologies, “adverse weather conditions prevent an estimated three million UK workers from completing their normal work responsibilities each year”, and that a third of UK businesses were affected by transport problems, power cuts or broadband and phone line failures caused by inclement weather over the past two years.

So the word ‘disaster’ is relative – your head office could be intact, but failure to get vital collateral to a sales meeting or a rep on the road could mean the loss of a much prized contract. A field service engineer could have no means of ordering a key spare part. Many organisations will simply be unprepared for a sudden demand on bandwidth from people working remotely, with all that entails in secure access to company networks. And any downtime on core IT systems and lack of network access from anywhere can rapidly unravel workflows and damage reputations, as the productivity and morale of staff often depends on having reliable tools for their jobs. How many times are you told by other organisations that ‘Our systems are down’?

Secure offsite backup is a must, enabled with cloud storage

Apart from staff, of course, IT is the lifeblood of most modern organisations, no matter what sector they are in. IT and communications are likely to be the underpinning infrastructure that keeps an organisation in business. But while it may be impossible to have a plan that keeps you operating fully during a major disaster, too many organisations do not also have a day-to-day set of procedures that will help cope with less demanding events such as a prolonged spell of bad weather.

Business continuity plans cover factors such as mapping your locations, assets and operations, and identifying the critical processes you need to operate and what minimum resources are needed. Staff need to be covered for emergencies – for example, do your salespeople or other mobile professionals have an emergency kit in their cars?

There are key considerations for IT and communications:

  • Secure offsite backup is a must, enabled, say, with cloud storage.
  • Managed servers and cloud computing can help ensure your organisation’s network and applications are available independently if your office isn’t open.
  • Network access from a range of devices, including people’s own smartphones and tablets, could be useful. The so-called ‘bring your own device’ movement means that you can be more flexible in remote working.
  • Virtual secure networking from home and other remote computers, say in serviced offices, is certainly advisable for core systems such as accounts.
  • Audio, video and web conferencing systems allow you to set up virtual meetings – a dial-in system for telephone calls could be top of the list.
  • There are many in-car and portable gadgets, such as those that set up an instant Wi-Fi hotspot for a group using a mobile phone network.
  • A sensible option is dual Internet provision. Having an alternative cable, DSL or mobile Internet service in the office to call on could be vital if the primary service is down.

You can really go to town on business continuity planning and risk management. There are several international and British standards and guidelines, many training courses, and one piece of guidance produced by the Cabinet Office – ‘Business Continuity for Dummies’. That sounds rather insulting, but it may be what you need to help put a practical plan in place to suit your organisation.

If you think you already have a good plan, there’s one thing you should do now: test it before it’s needed. This year’s Business Continuity Awareness Week, 16-20 March, has ‘testing and exercising’ as its theme, as here’s another stat to make you sit up: less than a third of organisations have tested their plans in the last year, notes the Business Continuity Institute. And what about all those without plans at all?