Cloud Cyber Risk Solutions

WHY THIS MATTERS

The cloud remains a mystery to some small and medium-sized businesses as well as large enterprises. 

Two of the factors that contribute to the cloud mystery are: 

• Cloud myths and misconceptions, and
• Cloud misconfigurations.

The first can be solved by better understanding of your share of responsibility about the cloud and cloud security. 

The second can be solved by providing your team with sufficient cyber risk and cybersecurity awareness.

Cloud Myths and Misconceptions 

Myths and misconceptions about the cloud overshadow data migration benefits from on-premises data storage to a cloud-based platform.

If you have legacy on-premises data to migrate to your new cloud environment, your business needs a secure cloud migration strategy and execution. This task may not be as daunting as you think. 

In 2020, Solutions Review debunked six common myths about cloud security:

1. Myth: On-premises infrastructure is more secure than the cloud.

Cloud providers:

• Implement data encryption and privacy measures to ensure the safe storage of users' data.
• Some offer additional security services that users may activate for increased security coverage.
• Are certified by global and regional regulations, ensuring that your data will still meet compliance requirements.

2. Myth: Cloud providers handle all users' security requirements.

Cloud providers:

• Outline specific responsibilities for both users and providers in Service Level Agreements (SLAs).
• Protect the systems on which users' data is stored.
• Should make clear that users are responsible for ensuring that only safe data is processed through the cloud solution.

3. Myth: Users' legacy on-premise security tools will be able to handle security in the cloud solution. 

Legacy on-premises security tools:

• May handle some but not all integration with cloud solutions.
• May call for new security tools to be added to your infrastructures, such as native security tools (from the cloud provider) or third-party tools.

4. Myth: Access control is not a concern in the cloud.

Cloud providers:

• Understand the cyber threats from hackers seeking to access control over your cloud environment.
• May offer access controls, allowing users to regulate authentication across the entire cloud infrastructure.
• May offer monitoring services to determine who is accessing your data as well as when and where. 

5. Myth: Public cloud multitenancy puts users' data at risk.

Public cloud environments:

• Are multitenant environments, operating multiple users' cloud data on the same server.
• Partition users' data to restrict access and keep information restricted to each user.
• Are no more or less vulnerable than other data storage environments.

6. Myth: Since the cloud is already secure, we need not monitor it for security breaches.

Cloud users need to:

• Be proactive and vigilant about their cybersecurity in all environments.
• Consider their options to work with cloud providers and third-party vendors offering cloud monitoring tools for security and performance.

Your organization will be well-served by taking the time to become familiar with the shared responsibility model for your cloud provider before adopting a cloud solution. For example, both Amazon AWS and Microsoft Azure publish their shared responsibility models online. Companies need to identify the proper configurations to reduce security risk in the cloud environment.

Cloud Misconfigurations 

Cloud misconfigurations that lead to security breaches are on the rise. Security teams need to evolve and adapt in their efforts to maintain cloud security.

According to the Cloud Security Alliance (CSA) in the Top Threats to Cloud Computing report: "Misconfiguration occurs when computing assets are set up incorrectly, often leaving them vulnerable to malicious activity."

An IDC research study in June 2020 revealed that nearly 80% of companies experienced a cloud data breach in the past eighteen months.

According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%), and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments. Meanwhile, 80% reported they could not identify excessive access to sensitive data in IaaS/PaaS environments.

Concerns over misconfiguration errors leading to data breaches ranked second only to hacking in the 2020 Verizon Data Breach Investigations Report (DBIR).

Capital One Data Breach

The Capital One data breach in July 2019 involved a misconfiguration that allowed unauthorized access by a bad actor. The data theft included the PII of 100 million individuals in the United States and 6 million people in Canada – both current credit card customers and new applicants.

According to Capital One's press release, the hacker exploited a specific configuration vulnerability in their infrastructure.

A subsequent report indicated that the Capitol One breach exposed data due to a cloud misconfiguration. Next, AWS responded by adding more security features to the compromised area (new metadata service in this case). After that, cloud users have tried to configure their environments more securely, but do not always know if they have succeeded. Lastly, this breach becomes the main topic of conversation when talking about cloud misconfigurations – at least until the next significant cloud data breach.

Remote Work Risks

According to the DBIR, phishing schemes have reached new heights in severity and frequency. "As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount," said Tami Erwin, CEO of Verizon Business. "In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious."

Human Error Threatens Cloud Security

As reported, in 2020, Tripwire commissioned a survey by Dimensional Research that found 93% of 310 security professionals were concerned that human error could result in the accidental exposure of their cloud data.
Despite their concern over human error, 22% of those surveyed said they manually assessed their cloud security posture.

According to the research, some organizations experience difficulties in monitoring and securing their cloud environments. A majority of security professionals (76%) state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse than other parts of their environment.

The lack of ongoing work to maintain proper security controls could lead to human error.

Call to Action

Right now, your business can take two vital steps forward. First, reducing the risk of human error in your organization. Second, obtain Stand-Alone Cyber Insurance.  

Strengthen Cybersecurity Awareness 

As organizations gain more remote workers during these coronavirus times, what best practices should IT be implementing to help organizations mitigate the emerging risks while embracing a remote workforce?

Security Boulevard suggests four remote-work security best practices:

• Ensure a strong password policy is in place, along with the use of multi-factor authentication is required.
• Ensure none of your assets are exposed to the public unintentionally. 
• Ensure the use of the principle of least privilege for granting entities access permissions. 
• Ensure your logging configuration is correct to get better visibility of your public cloud.

Remember, an essential part of your cyber risk management plan includes comprehensive Stand-Alone Cyber Insurance to protect your balance sheet when a mistake by a team member overrides your cybersecurity measures.

Stand-Alone Cyber Insurance 

Your business stands a better chance of recovery with a robust Stand-Alone Cyber Insurance policy that provides coverage to protect your business against cyber-related losses.

For example:

• Ransom payments – if you incur cyber extortion-related expenses, such as the cost of hiring a security expert to advise you on how to respond to a threat, negotiating, or making the ransom payment. 
• Business interruption – if you lose business income during the cyber event (after a brief waiting period and during a restoration period), including the policyholder's net profits before taxes and extra expenses incurred during your computer network's shutdown, including payroll.
• Data recovery or restoration – if you lose programs, software, or data due to damage, disruption, theft, or misuse of your data.
• Incident response team – if you incur costs associated with an incident response plan and the team to support you during a cyber incident. 
• Employee training tools and programs – if you are looking to be proactive in loss prevention, such as phishing emails awareness training. 

Your company's residual cyber risk includes your employees who may be tricked by a phishing email or text, or manipulated via a phone call, jeopardizing your cyber risk management plan.

TAKEAWAYS 

• The cloud advantages need not be overshadowed by cybersecurity risks that your organization can control and reduce. 
• Employee phishing email training and cyber risk awareness training have immeasurable value. The solution -- some cyber insurance carriers offer support to their policyholders' efforts to increase employees' cyber threat awareness. 
• Your business stands a better chance of not only surviving but thriving after a cyberattack by transferring your residual cyber risk to a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level. 

Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks, the dynamic cyber insurance market, and cyber insurance clients' demands.

Contact Cyber Armada today to explore how your company faces potential financial losses from a cyberattack. Contact us at 888.727.6232.

NEXT ARTICLE

Please watch for our next article COVID-19 Cyber Reality Check.