Shortly after moving his law firm’s operations onto a digital cloud server at the start of the pandemic, Sherif Rizk received an e-mail from what he thought was a potential client attached to some files that would not open.
“I realized something seemed off here – I’ve never really had an issue accessing documents from a potential client in this way,” says the principal lawyer and founder of Rizk Law Office in Ottawa. “I ended up contacting my IT person, and he told me to stop speaking with them.”
After recently migrating his firm’s court documents to the cloud in accordance with COVID-19 precautions, Mr. Rizk feared the new wave of remote work would leave his company’s most sensitive documents subject to more online vulnerabilities like this one. The would-be hacker failed to gain access to any sensitive information, but the incident prompted a thorough inspection of the company’s servers and online communications. Mr. Rizk soon hired a local IT firm to help manage his company’s cloud security.
“Since that incident, we haven’t had any similar situations, and we’ve been a lot more vigilant.”
For example, the two-person firm does regular checks for unusual activity, it maintains dedicated devices for accessing work files, and it only connects those devices to secure private networks. Mr. Rizk says he’s also a lot more skeptical of communications from potential clients, especially those that seem too good to be true, or that emphasize urgency.
“Before the pandemic, [cybersecurity] was more of an afterthought,” he says. “Now it’s top of mind.”
Mr. Rizk is just one of countless Canadian business owners who rushed to adopt cloud services out of necessity with the onset of COVID-19 – but a recent study suggests many have yet to adequately adapt their security practices.
According to Orca Security’s 2022 State of Public Cloud Security Report, more than a third of business cloud users leave sensitive data unencrypted. Twelve per cent have online workloads secured with weak or leaked passwords. And the average organization takes 18 days to react to “imminent compromise” security alerts.
The report also found that while many companies list cloud security as one of their top IT priorities, the average attacker can access a firm’s most valuable assets in just three steps.
“The biggest misconception is that the cloud provider is responsible for securing the environment,” says Orca’s chief product officer and co-founder, Gil Geron. “It’s called a ‘shared responsibility’ model because the cloud provider is responsible for securing the infrastructure – meaning the physical servers and also the access and usage of the technology – but you’re responsible for how it’s used.”
Mr. Geron says he likens cloud security to buying a car: the manufacturer is responsible for adhering to certain safety standards and requirements, but it is not responsible for how the vehicle is driven.
During the pandemic, he adds, many organizations tried to “lift and shift” their digital practices, products and services to the cloud without adequately adapting their security protocols, exposing them to significant vulnerabilities.
The greatest vulnerabilities often reside in the least utilized assets, Mr. Geron explains. Older or even forgotten files and applications are less likely to be updated with the latest security patches and they are more prone to attack. That is why he says the best place to look for cybersecurity vulnerabilities might be in the accounting department.
“When using the cloud, you want to get rid of unused and forgotten assets – and doing that can also save money,” Mr. Geron says. “At the end of the day, someone needs to pay the bill, and I know many systems that are turning to finance to understand who is paying for what to understand where they have environments in the cloud.”
Maintaining strong cloud security practices also requires finding a provider that suits your firm’s specific needs, according to Xichen Zhang, a research scientist at the Canadian Institute for Cybersecurity at the University of New Brunswick.
“Different companies have different safety requirements,” he says. “It’s really dependent on, for example, the nature of the company, if it’s a small, medium or large company, and what is the major domain of the company.”
Mr. Zhang explains that each cloud provider offers a unique suite of tools and capabilities, and it’s up to customers to determine which offers the security practices that best meet their unique needs. For example, small businesses might want to opt for one of the more popular cloud providers – such as Google Cloud, Microsoft Azure or Amazon Web Services – as they are more likely to provide third-party security solutions tailor-made for organizations without a dedicated IT department.
But even if your data is stored in a brand name cloud, it could still require additional layers of protection. Mr. Zhang warns that businesses need to be conscious of what they upload to the cloud and introduce additional layers of security to sensitive data, no matter their provider.
“Third party cloud services can be the target of hackers, so we need to consider what is their data protection technology, and how strong and how powerful their mechanisms are in order to protect the data we send them,” he says.
“Do not consider the cloud a fully trusted entity. Even with big companies like Google and Amazon.”