Posted by Robert Half on 21 June 2016
Many startups are adopting cloud services such as Gmail, Dropbox and Skype to run their business. As well as keeping costs down, they’re easy to use, versatile and encourage collaboration. Even big businesses are adopting them rather than developing their own apps.
But what about the security risks for employees and businesses? Do these free cloud apps represent an internal IT security risk, and if so, how can you minimise the threat?
The Cloud Security Alliance listed data breaches as number one on its ‘Treacherous 12’ list of cloud computing threats for 2016. Major cloud providers are attractive to hackers because they have such a huge amount of data stored within them.
A data breach represents more than just business loss – IT and data security breaches can also mean brand damage and legal liability including heavy fines and even criminal charges in some jurisdictions. These can impact your company for years, so let’s look at how you can at least mitigate that risk.
1. Set clear security policies
With BYOD (bring your own device) becoming ubiquitous these days, it’s hard to prevent employees from bringing in their own mobiles and laptops even if you do provide them with equipment. According to a KPCB Mary Meeaker 2015 Internet trends report, Millennials, for example, insist on using their own devices, with 45 per cent wanting to use personal smartphones for work. This means that company data stored in the cloud may be accessed through a device that you have no immediate control over.
If you want to prevent an internal IT security threat and minimise overall risk, you should think about implementing a strict security policy. Even though the benefits of allowing an employee to use email outside company hours may outweigh the risk it represents, your policy could/should require that security features are activated if employees want the device to connect to the company network, such as password protection and security-lock timeouts.
2. Educate users about security
Security software alone can’t protect against all risk. A significant proportion of incidents, such as data loss, are the result of human behaviour. Most often these cases are not even malicious – an employee’s device may be lost or stolen - or staff may fail to set a secure password.
Security breaches increasingly take place through social engineering and phishing – malicious scammers who look for ways to steal personal information and credit card details. Educate your staff about these potential threats. Many cloud providers also offer guides specific to their services, including what to do if there is a problem.
3. Do your research into each provider
Major cloud technology providers will have much larger cloud security budgets than you have, as well as security experts on call around the clock. But even the big guns have been known to slip up. Both Google Drive and Dropbox have vulnerabilities where private data could be read by third parties or indexed by search engines. This screams internal IT security threat.
Look for providers that offer enhanced security, such as SSL encryption to secure your data in transit, and two-factor authentication to prevent unauthorised access. User access logs and security alerts are also desirable features.
4. Monitor use and remain vigilant
Keeping an eye on what employees are doing online gets tricky when they use their own email accounts and devices. Also, privacy issues can arise. But you as an employer should be aware of what employees are doing with company data – how and where they’re accessing it, where they may be storing or sending it.
Ensuring that files are kept in a secure but accessible company cloud storage account will reduce the risk of employees moving them elsewhere. Routinely reviewing access logs is also important – a user may not even realise their device has been compromised.
The Cloud Security Alliance says that the future of security is “securing the entire path from user to application, device to service – on a one-to-one basis”.
As such, security guidance should be targeted to the specific device someone is using, and to employees on the ways they need to use it. A laptop only used on-site represents a different set of risks than a tablet taken home overnight. Ensure that people understand the risks that are relevant to them, as well as the best practices to avoid them. Every member of your workforce needs to play an active part in your security strategy.
Do you have the necessary talent to tackle IT security threats? If you need help discovering the right people for the job, contact us today.
This article originally appeared as Is a free cloud service an internal IT security threat? on the Robert Half Australia blog.