Overcoming the Fear of the “Cloud”

For almost all modern businesses, there is a need to provide services, manufacture and sell goods at the highest level of efficiency and profitability.  That requires businesses to rely on technology and digital communication to a greater degree than ever before. 

While some businesses welcome technology with open arms, many others are skeptical and cautious with its use and integration in their business.  One of the greatest examples of this is the “cloud”.  The cloud, of course, is simply a convenient way of referring to accounts, data storage mediums and some software as a service (“SaaS”) applications that are accessible through the internet. 

Most people are familiar with Gmail, Outlook and Dropbox, which are some of the better known cloud services available amongst most consumers.  They are accessible everywhere and through a variety of device platforms from PC/laptop to mobile devices and smartphones.

Using cloud services allows most businesses to communicate and share data within its organization and with customers and clients more efficiently and effectively.  This, in turn, reduces costs and ought to generate more revenue in the end.

So why are some reluctant to embrace cloud technology that provides so many benefits?

From my experience, the most significant obstacle seems to be fear.  Fear of the unknown.  Fear of having sensitive communication and data “out there in the air”, as some put it. 

Overcoming this fear requires an understanding that cloud services are safe and come with a great deal of readily accessible security features that make their use highly secure.  Access to cloud services require users to login remotely using unique user identification and passwords.  User identifications generally take the form of an email address and passwords generally require a minimum level of strength to make it difficult to allow an unauthorized person to access the cloud account.

If and when there is an unauthorized intrusion, it is generally an avoidable scenario if the user had availed themselves of better security practices such as a strong and unique password (i.e., don’t use the same password for multiple online accounts) and enabling two-factor authentication.

Two-factor authentication is a tool to ensure that cloud accounts are not accessed even if the password to the account is compromised.  How it works is that when a new device connects to the cloud account for the first time, a unique code is sent to the user’s smartphone or email account.  The new login will not be allowed unless that code is entered.  This dramatically increases the security of a cloud account.

To take two-factor authentication further and to a whole new level of security, users can deploy authentication apps, such as the ones provided by Google and Microsoft.  These apps generate unique codes every 30 seconds (or other customizable time frames), work even when your device is offline and often notify you to simply approve a sign-in request rather than input the authentication code.  See the following image of my Microsoft Authenticator app for reference:

 

As you can see, I use this app to authenticate sign-ins for my Microsoft cloud accounts and social media.  It is secure and convenient and I highly recommend it.

But wait, if you’re still reading this and paying attention, you’re probably wondering what happens if you drop your smartphone in a lake or it gets run over and you can’t access the authenticator app right?  Well, the developers thought ahead and offer a solution at the time of setup.  Users are provided with a list of permanent, hard codes to access the accounts.  It’s very important that these lists are downloaded or printed and kept in a safe and secure location in the event that you need them later.

So, rather than fear the cloud, I encourage everyone to embrace it.  It’s here to stay.  It’s safe and secure and users can elevate the security of cloud accounts through good security practices and authenticator apps.

BIO:  Tyler Hatch is a former practicing litigation lawyer and the founder and CEO of DFI Forensics Inc., a Sky Northern Alliance member and a digital forensics and incident response firm with offices in Vancouver, Langley, Calgary and Toronto.  For more information, contact Tyler at info@skynorthern.com

Privacy in the time of IT Cloud Services

It has become very clear that in the last couple of years, the management of personal information has built momentum and it is on everyone's minds.

The introduction of privacy and personal information protection legislation has helped stir the conversation on this direction, but the mismanagement of personal information by big players in the tech industry has firmly set that route.

The new trend of "free" services for consumers and the convenience to have information stored in the "cloud" and have it follow you wherever you go and on whatever device you have, has been a breakthrough on our approach to technology and to information management. But the biggest breakthrough or "bang for your buck" has certainly been for organizations themselves.

Cloud services available to anyone, anywhere

What was unthinkable and cost-prohibitive 15 years ago in terms of setting up an IT environment to start a business, to be competitive or to have access to cutting-edge applications that would allow organizations to provide innovative products or services, has become as easy as just making the decision to get started.

Cloud services have allowed individuals and organizations to rely on the computing power of the large providers, thus avoiding the considerable capital and operating expenses that in-house IT infrastructure requires. This set up democratizes innovation and allows just about anyone to have a seat at the table when it comes to offering products and services.

And as great as this is, one aspect that not everyone thinks about is the considerable increase in the complexity of data flows.

Data flows and the implications to privacy

Organizations may have agreements with one IT service provider - call it a CRM software vendor, a marketing automation tool, an ERP system or anything else that imaginations can come up with. But the reality is, those IT service providers have service providers of their own: database hosts, infrastructure hosts, application hosts and the data that originally belonged to the organization, now is in the custody of three, four or more service providers. The challenge is that companies don't really know how these service providers are protecting their data and, more worrisome, their end-customers' personal information.

Legislation such as the GDPR in the EU has tried to tackle this conundrum by ensuring that "data controllers" - which are the organizations that collect and decide how to use personal information - become more accountable about ensuring that said information is well-protected through the implementation of very specific data protection agreements with the IT providers, called "data processors", to ensure that they in turn also protect this information.

This is great when it is a one-to-one relationship between a data controller and a data processor, but what happens when the data processor has sub-processors of their own and the sub-processors do so as well? The complexity of this supply chain makes it almost impossible, when a data breach takes place, to pinpoint exactly where the issue lies and who should be held accountable for it.

Similarly, Canada is looking to amend the Federal Privacy legislation, PIPEDA, to treat data transfers as disclosures and therefore requiring end customers to provide explicit consent when doing business with any organization. This may prove to be annoying at best and futile at worst, but it is clear that regulators are looking at data transfers very closely.

Mitigating the privacy risks of complex data flows

In this environment, companies need to work to manage the risk that these complex data flows raise. This risk is not going away, and it doesn't have an easy fix so it is important for organizations to adopt a few practices that may help with the management of said risk:

·         Develop a data inventory that clearly identifies the type and sensitivity of data that is being stored on each of these systems

·         Identify each of the vendors that provide these systems. Ensure that each vendor has a Data Protection or Information Sharing Agreement that clearly identifies their responsibilities - including being accountable for what their own providers do - towards the protection of personal information

·         Document, as much as possible, the interfaces and data flows between one system to the next to identify vulnerability points or specific areas where breaches may occur

·         Implement a detailed privacy breach response plan and ensure that you include a contact list for all your IT service providers in order to coordinate activities where necessary

Where do we go from here? 

Understanding what information is collected about customers as well as understanding all the places it flows to is critical to mitigate any risks associated with the protection of such information. Taking care of customers’ needs includes taking care of their personal information.

In these times where information is a commodity, using it for the benefit of the individuals that organizations serve is the best way to achieve loyalty, trust and a great reputation.

This post was contributed by Alejandra Brown, President of an IT and Privacy Consulting company and a Sky Northern Security Alliance member. To contact her email info@skynorthern.com

Maintaining Compliance in the Cloud

Compliance in the cloud is one of the biggest obstacles that many organizations face, regardless of its size.  Even though the cloud is no longer a new concept, and the benefits of leveraging shared infrastructure or services to achieve economies of scale are becoming more apparent, many organizations are still reluctant to fully engage in a cloud-first strategy.  The cloud, for many, is still a black box. Questions such as “how do we know for certain that our data is secure” or “how do we prove to customers that we are secure” will continue to surface. 


These foundational questions are vitally important and cannot be overlooked.  Without the luxury of deep pockets, organizations must be nimble and business savvy in how they go about verifying that their suppliers are compliant, and how they can internally demonstrate compliance to their respective customers. 


This is the first in a series of blog posts on how to maintain compliance in the cloud.  Let’s start off by diving deeper into the supply chain... 



#1 - Compliance is a Shared Responsibility 

 

Your supply chain is the new weak link in your organization’s security program.  In a highly interconnected technological ecosystem, the protection of data extends beyond your immediate boundaries to every single service provider and supplier that you do business with. Cyber criminals are becoming more innovative and exploiting vulnerabilities in your supply chain to gain entry into your corporate environment.  A recent example would be the advanced and persistent phishing campaign against outsourcing giant Wipro, in an effort to target the company’s Fortune 500 customers. 


Here are some tips to secure your supply chain from such cyber attacks: 


  1. Choose the right suppliers during the procurement cycle.  Set clear expectations on what your security requirements are from the beginning, and assess suppliers against these parameters. Create a vendor management scorecard to assist with the evaluation. 

  2. Extend your security policies and practices to your suppliers. Ideally, include these terms and conditions as part of the contract negotiation phase. 

  3. Routinely vet the suppliers to ensure they continue to maintain strong security practices.  The extent of the assessments should commensurate with the level of integration and access the suppliers will have to your systems and data (both corporate and customer). 

  4. For additional assurance, engage the services of an independent body to validate the suppliers against their contractual commitments. 

  5. Treat suppliers as an extension of your business and an integral part of your security culture.  By maintaining open communication whereby you inform them of security developments within your company (and vice versa), you can collectively reduce the likelihood and  impact of an attack from different channels. 


In today’s hyper-connected world, it’s vital to remain vigilant. Organization parameters extend beyond just the firewall. Cybercriminals know that, and they will use this to their advantage…

This post was contributed by Theresa Azari, a Sky Northern Security Alliance Member and governance & compliance expert. To reach her, email info@skynorthern.com

Cyber security & compliance vs. the cloud and gig economy

Suddenly our world is more complicated. Cloud apps, cloud infrastructure, gig economy IT staff across multiple continents. Add cyber security and compliance requirements…. Arghh! We can help, read on.

At its most basic, if you use a cloud computing supplier then, depending on your contract, you may find that your data can be moved from one country to another at your supplier’s convenience or that the levels of IT security protecting their different data centres in different countries may vary. Plus your data and apps will be under different laws depending on location – for example allowing a government agency to inspect your data as it crosses their borders. This can complicate matters for your own IT security compliance strategy and may also impact customer relationships, especially if you have an international or public sector customers.

Different and more sophisticated security measures are needed for both IT infrastructure and applications if you use cloud computing resources. Are your existing staff and consultants using the right techniques? Pen test approaches, security architecture and compliance may all need to be reviewed if you incorporate SaaS (software as a service) or IaaS (infrastructure as a service) into your environment.

Similarly the gig economy (or outsourcing if you will) can create cyber security wrinkles. Consider using contract developers who bring their own laptops. How do you ensure that these laptops are clean and that any open source modules the contract developers use are from trusted sources? It can be hard to apply consistent endpoint security measures to devices owned by an employer or contractor for obvious reasons.

We’ll be exploring these topics in much greater detail in a series of blog posts. Topics will include governance and compliance, privacy, forensics and incident response, security event monitoring, pen testing, threat and risk assessment approaches and application security.

Cyber Security 101 for Small to Medium Business

So you’re a small to medium sized organization – let’s say up to 500 employees.   If you don’t have a cyber security program, where to start? 

 

You need to discuss, plan and then act to ensure an appropriate level of cyber security for your operation.  Repeat, act on your plan.   Don’t be like the many that wait until a crippling event like a breach or a ransomware attack that brings an operation to a grinding halt and rips customer and employee confidence to shreds.  And then they act after the fact.

 

So you need a cyber security program and it needs to be acted upon.   What are some of the key elements?

 

If you have no plan at all, a security threat and risk assessment (often called a “security assessment” for short) is a great place to start.  A security assessment looks at the business you are in, what sort of information you manage and your reliance on IT systems, and the relevant legal and regulatory requirements.  With that in mind, the assessment takes a look at how your IT is operated and managed to identify any major risks faced by the business and makes recommendations on how to address the worst risks.  A good assessment will give you a high level action plan.  Once you know the risks you can prioritize how to address them within the constraints of your business plan.

 

It’s a good idea to repeat an assessment periodically depending on how quickly your operation is growing and the field in which you operate is changing.

 

At least once a year you should have a pen test.  Short for a penetration test or sometimes called “ethical hacking”.  A pen test simulates the attempts of a hacker to get into your IT systems and disrupt their operation or steal information.   It can range from a fully automated process through to a more complex undertaking involving customized approaches depending on how attractive a target your business presents for possible cyber attackers.

None of this is new. But these basic measures will greatly help.

Positive Aspects of Cybersecurity

by Dominic Vogel, Chief Security Strategist, Cyber.Sc

Cyber Security is understandably thought of as a largely negative subject. We speak quite a bit about cyber attacks and data breaches, litigation, regulation and other post breach realities such as loss of customers and reputation. Cyber Security itself is widely perceived as a cost center or sunk cost which doesn’t produce an immediate return on investment. Today we would like to talk about the positive aspects of Cyber Security; how investing in proper cyber security is a business enabler which results in higher revenue for your organization. As we have said in a previous article (Cyber Security & The Value of Your Sensitive Data): “If you want to grow your market share, reach your business goals or just simply be able to maintain your everyday business operations and survive, then cyber security makes good business sense.”

Internet Connectivity

It seems like almost everything is, or can be, connected to the internet. The ‘Internet Of Things’ and the Cloud are two realities that are rapidly increasing the rate of change in the way we do business. Each new smart device we bring online — smart phones, tablets, TVs, cars, thermostats, HVAC systems, refrigerators, medical equipment, FitBits etc. — gives convenience which can be leveraged by the end-user and data that can be leveraged by business. There is so much data that business can harvest and harness to understand their target customers and market their products more effectively. As more commerce is transacted on the internet, the global economy is increasingly taking place online. Traditional ‘brick-and-mortar-only’ businesses are on the decline while the number of online businesses are increasing. Operational efficiencies for businesses are also expanding with the combination of massive online platforms and the IOT.

Cyber Security ROI

From a security standpoint, with the number of connected devices rapidly on the rise, the number of access points for cyber crime is rising in direct proportion. This means that the ‘attack surface’ for cyber criminals is expanding every day. This is an obvious defensive motivation to invest in a good Cyber Security program, but there are also multiple positive, or ‘offensive’ reasons to do so. Your customers appreciate the technology-enabled products and services you are able to offer them. The ability to launch these products and service and the continued availability of the enabling technology is made possible by effective cyber security.

If your information, networks and business partners are secure, then your critical business processes are protected. This protection gives you the bandwidth to be proactive and focus on business development. Proactive and effective Cyber Security becomes a business enabler which creates business opportunities for growth. When you demonstrate, and even advertise, your cyber resilience, you can deepen trust with your clients and customers. You can then create new opportunities out of this level of trust to bring more useful products and services that your customers appreciate. When you meet and exceed customer expectations, the customers win, your revenue increases and you win.

Having a mature cyber security posture is also a difference maker in RFP and M&A scenarios. If you are putting out your services for tender or if you are an acquisition target for a larger organization, being secure as well as compliant with regulatory requirements gives you an important edge. When prospective investors and clients are looking at a secure company to partner with versus an organization with questionable security, they will choose the company who has taken proper security measures (all other things being equal). Although situations like these are disappointing and potentially devastating for the companies that get passed over, this is a life-changing advantage for the organization with foresight to pay close attention to their own cyber security posture.

Rapid Risk Reduction

At Cyber SC, we understand the limitations and budget constraints organizations face. We focus on quick wins in the short term as well as the mid and long-term, big picture security program maturity. This Rapid Risk Reduction with minimal amount of investment translates to a higher ROI for our clients. Not only does cyber security keep you up and running and in business, it lets you GO ON THE OFFENSIVE to grow the business and gain market share.

This article was originally posted on the Cyber.Sc blog. If you need help with your security strategy, please contact us and we'll hook you up.