Introduction
How secure is the data your business stores in the cloud or on your on-site servers? It's a question that is being increasingly asked across the small business sector, as data security once again moves to the top of the agenda. With cybercrime on the increase, ensuring your business has robust security protocols in place is a commercial imperative.
Mohamed Zouine, European Director of Ground Labs, commented: "By the very nature of SMBs, they have to spend a great deal of time fire-fighting issues. Data security becomes an afterthought if it's even considered at all. Most SMBs do not realise that by storing this kind of data, even on a smaller scale, they are subject to the same, potentially crippling fines as larger businesses."
Mobile considerations
Security issues are also being compounded by the growth in mobile digital devices. According to IDC, by 2017, 87% of all connected devices sold will be tablets or smartphones. These devices will increasingly need to store sensitive customer data that must be protected at all times. Factor in the cloud that delivers the connectivity and storage capacity that SMBs in particular are leveraging, and a security policy that takes these mobile devices into consideration is vitally important.
Indeed, research from Trend Micro succinctly concluded: "The majority of SMBs said that, in general, they can't do enough to protect their data using the measures and technologies they currently implement. Most SMBs also doubt their organisations' capability to thwart advanced persistent threats (APTs) or hack attacks, especially since detection or discovery of data breaches among SMBs mostly occurs accidentally."
And your business needs to take action now. In March of this year the British Pregnancy Advice Service (BPAS) was fined £200,000 (around $310,000, AU$375,000) after a serious breach of the Data Protection Act revealed thousands of people's details to a malicious hacker.
David Smith, Deputy Commissioner and Director of Data Protection, said: "Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure. But ignorance is no excuse. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe."
A cloud of insecurity?
Larry Ponemon, chairman and founder, Ponemon Institute, says: "Staying in control of sensitive or confidential data is paramount for most organisations today and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud.
"It is perhaps a sign of confidence that organisations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data and it is encouraging to find that significantly fewer respondents believe that use of the cloud is weakening their security posture."
The cloud has come under attack for what appears to be its inherent lack of security. The reality is that the cloud can be a valuable asset all SMBs can leverage to their advantage. The cloud must, though, be approached as your business would any new service it buys, performing due diligence before committing to a service provider. The mistake many SMBs make is to use consumer-level cloud services instead of those designed for business use that will have more robust security protocols built in.
Cloud security policy
For small business owners, the draw that the cloud places on their enterprises is too great to ignore. Indeed, ignoring the cloud could place their businesses at a commercial disadvantage. Therefore, developing a comprehensive security policy is a must. Your business' cloud security policy should include:
1. Planning for implementation
One of the main issues with the small business use of the cloud is a lack of planning. The security profile of the data your enterprise will store in the cloud will influence which service your business chooses.
2. Where could your data become vulnerable?
Intel advises: "Regardless of the cloud delivery model you choose, your best approach is to review the specific service architecture, and then layer technologies to develop a strong security net that protects data, applications and platform, and network at all levels."
3. Cloud service location
As the cloud services your business accesses could be based in another country, assess the legal requirements regarding security that your data must adhere to, and whether your cloud service provider can meet these in their location.
4. Making the data connection
Moving information to and from the cloud must always include high levels of encryption. Intel states: "Certain industries, such as healthcare and financial services, require organisations to meet certain regulations and standards for the way they protect data. Increasingly, these and other regulations are encouraging – and specifying – encryption in certain usage scenarios, including cloud computing. The penalties for noncompliance are stiffer than ever."
Says John Culkin, Director of Information Management, Crown Records Management: "Out of sight, out of mind is not an unusual attitude when it comes to cloud storage. Unfortunately it isn't true – the organisation still remains the data controller and is responsible for it.
"Whilst there are many advantages to using cloud storage, including physical and data security, depending on the configuration and use of a service, compromises can be introduced. In the same way as a builder puts locks on doors, neither the door nor the builder is responsible for making sure you keep the doors and windows locked, or controls who you give keys to."
- Cloud security: how to keep your data safe
Security measures
Trend Micro offers up these steps to improve your business' information security:
1. Close your organisation's doors to malware
Installing and using effective anti-malware solutions in systems and devices that contain or have access to sensitive information is important.
2. Stress how important protecting data is
Inform your employees and other insiders about your company's security policies. Stress the personal and business consequences of not protecting their mobile devices, systems, storage devices, and the confidential data these contain from loss or theft.
3. Don't let social networking endanger your network
Teach your employees how dangerous over-sharing in social networking sites can be. Even if you cannot stop them from sharing information in social media, you can opt to limit the amount of time they spend on these sites while at work to lessen the chances of your company's security perimeter being breached.
4. Think of passwords as keys
The stronger the passwords to accounts are, the harder they are to crack. Keep in mind that without the right keys in hand, malicious insiders and outsiders alike will have a much harder time getting to your company's crown jewels.
5. Patch holes in your organisation's walls
Identify which information is critical, who could and should be able to access it, then investigate the best ways to protect it with the aid of a trusted IT advisor. Like holes or cracks in walls, areas where your company data is most vulnerable can cause your security perimeter to crumble.
6. Knowing is half the battle
Tell your employees that although losing unencrypted and improperly protected data stored in mobile devices may get them into trouble, failing to report such incidents is worse. This does not only put them but also their colleagues, customers, and the entire organisation at great risk.
SMBs are not powerless to act when it comes to securing sensitive data, and can develop a robust response to the data security threats their enterprises face. And with a major overhaul of the EU data security regulations incoming, considering your company's approach to all its data management security is timely and critical.
SafeNet's perspective
To round things off, we spoke to Jason Hart, VP Cloud Solutions at SafeNet, to discuss some of these issues further, including the lack of awareness of data regulations and the forthcoming changes, and why hackers are now being attracted to target small businesses.
TechRadar Pro: Are SMBs paying too little attention to the type of information they are collecting, and how this data is being stored?
Jason Hart: Small businesses often operate in cost-constrained environment, with limited staff and resources available to support security and compliance efforts. So with data now stored and accessed in different locations and from different devices, it can be difficult for them to stay on top of security. The more they can centralise, streamline, and separate encryption administration, the better they'll be able to address security and compliance demands.
TRP: Is there a lack of awareness regarding regulations concerning how sensitive data is being stored?
JH: The majority of businesses are aware – to some extent – of the upcoming changes to EU Data Protection laws. The problem is not many are actually doing anything to prepare for them. Our Breach Level Index revealed that in Q2 2014, less than 1% of all breaches were 'secure breaches' – where data stolen had appropriate controls and protection around it.
But if companies don't start taking the steps to change how they protect data now, they're likely to find themselves subject to compliance penalties, as well as reputational damage.
TRP: Hackers have traditionally targeted banks. Are SMBs now replacing banks, as they are storing similar personal information, but don't have such robust security measures as the banks?
JH: Hackers will always follow the path of least resistance. It's much easier for them to target businesses with weaker security controls and unfortunately SMBs tend not to have enough expertise in-house on security and compliance. So they are an attractive target to cybercriminals.
TRP: The British Pregnancy Advice Service (BPAS) was fined £200,000 following a serious breach, which affected thousands of personal data records. How can businesses protect themselves from similar prosecutions?
JH: Businesses need to bring the security controls closer to the data. This means putting in place best practice data protection techniques such as encryption, secure key management and authentication. These mechanisms provide a robust foundation for data security and also achieving compliance with the upcoming EU data protection laws.
TRP: Are SMBs overlooking their security responsibilities when storing data in the cloud?
JH: One of the biggest problems that SMBs face in the cloud is a lack of awareness of what data they need to protect, where it resides and what the risks are. Data is now stored and accessed in multiple places and from multiple devices, which means businesses need to bring security controls closer to the data.
So, often security and compliance requirements, like more effective and secure management of cryptographic keys, are a critical prerequisite to cloud migration. But it's not just the SMBs who are overlooking security responsibilities – not enough cloud providers are enabling the correct security controls within their offerings – such as two-factor authentication and key management. So preventing this ticking time bomb is as much the responsibility of cloud providers as it is SMBs.
from www.techradar.com
