4 Out of 5 Clouds Aren’t Secure
Given how integral the Cloud is to the modern healthcare industry, cloud security and practice security are virtually one and the same. The question is: Do you know how to stay secure?
The Cloud is more popular than ever these days. But unfortunately, with popularity comes risk. The more widely used a technology is, the more that cybercriminals will try to find a way to hack it, and turn it against the users.
Case in point: According to the Cloud Security Firm RedLock and its Cloud Security Trends Report, more than 50% of organizations that use cloud services, like Amazon Simple Storage Service (S3), have unintentionally exposed at least one of these services to the public.
This growing trend of unsecured cloud configurations is due to organizations neglecting known vulnerabilities in the Cloud, or failing to properly assess their cloud environment to discover unseen security risks.
RedLock researchers found that:
- 38% of organizations have had administrative user accounts compromised.
- More than 80% of organizations fail to mitigate cloud vulnerabilities.
- 37% of databases accept inbound connection requests from the Internet, seven percent of which receive requests from untrustworthy IP addresses.
This is just one of the many ongoing developments in the cybersecurity world that show why it's so important to work with the right IT consulting company in Florida. The fact is, this is just the tip of the iceberg.
What Cloud Vulnerabilities Do You Need To Be Aware Of?
Cybercriminals are smart. They adapt quickly and continually to come up with new ways to take advantage of organizations like yours.
Given how popular the Cloud has become in the business world today, it makes sense that there are so many solutions to choose from. Organizations have their work cut out for them when it comes to finding the right option based on the size of their operation and their needs. But are they making the right choice?
More and more, organizations are being enticed by low-price point, wholesale Desktop-as-a-Service (DaaS) or Virtual Desktop Infrastructure (VDI) solutions, while not understanding that these solutions are designed as blank canvases for adding other technology layers; namely, OS, applications, Microsoft Office 365, anti-virus, anti-spam, backup, Active Directory and others depending on the workload.
In other words, DaaS and VDI are enterprise solutions built for enterprise-level organizations. To make the most of them, organizations need the expertise, time and resources to build them up into a platform that meets their needs.
On the surface, this might not appear to be a security issue. But again, those who choose to invest in a DaaS or VDI solutions will quickly realize that the onus is on them to develop and deploy the security to go along with it.
Even if they manage this, it won’t stop there, because as you know, security isn’t a set-it-and-forget-it scenario. More than any other technology deployed, security measures must be constantly monitored, updated and improved.
Beyond the work involved in making sure a DaaS or VDI solution is properly secure, there's also the cost that needs to be considered. At first, when you make the financial comparison of DaaS to a complete cloud platform offering, the price tag for the former may look very compelling.
However, the reality is that deploying security for a DaaS or VDI solution is yet another cost. Either at first, when purchasing the security software, or in the event that they opt for a free consumer version that will likely cost them in the long run. According to Verizon’s 2015 Data Breach Investigations Report, "The average forecast loss for a breach of 1,000 records is between $52,000 and $87,000."
Without an enterprise-level IT staff to manage its deployment and operation, DaaS and VDI will likely fail a given small or mid-sized business, costing them further in resources and wasting their initial investment.
Each employee should be thoroughly educated on the ways to spot and prevent a social engineering attack, and that education needs to be ongoing. Allowing yourself or your staff to get complacent puts your organization at serious risk.
3 Security Questions To Ask Your Cloud Provider
1. Where Is My Data Stored?
This may seem like a rhetorical question, but it’s not really. It’s sort of like wondering where the Internet is; it’s easier to assume that there’s no good answer. However, if you’re making that assumption about the Cloud, you’d be wrong.
After all, the Cloud is based on a network of data centers, and that's where the data is, in these data centers all around the world. Which data center your data is in depends on what cloud service provider you're working with.
All of this is to say that when you were researching cloud solutions, did you bother to ask where your data is going to be stored?
Even outside of your professional cloud needs, think about your personal cloud usage.
When you put some family photos on DropBox, do you know where those files are? East Coast? West Coast? Or even outside of the country?
You might scoff at the idea of doing this kind of in-depth research for a cloud solution. It’s easy to think that the whole point of the Cloud is that you can access your data from anywhere, and not worry about where it actually is. But you should be sure to find out whether your data is hosted in or out of the state, country, or even continent. This info could have implications on compliance and security, depending on where your data is stored.
2. Are You HIPAA Compliant?
Just because you get someone else to store your electronic Protected Health Information (ePHI), doesn’t mean you don’t have to worry about HIPAA compliance anymore. You’re the healthcare organization dealing with the data, and so, it’s your responsibility to maintain compliance and to make sure that any cloud storage you use is compliant as well.
This shouldn’t be difficult for you to confirm with a cloud provider; they will likely either have plenty of experience dealing with ePHI and HIPAA, or it won't really be their area of expertise; in which case, you should move on to another provider that can handle it.
3. How Is My Data Backed Up?
If you’re not already using a cloud backup service, then you’re behind the times.
According to Acronis’ 2019 World Backup Day Survey, 48.3% of surveyed organizations already use a cloud-based backup exclusively, and an additional 26.8% use a combination of cloud and onsite backup.
If you’re only using an onsite backup, that’s certainly a good first step. But do you think it is enough? After all, your organization’s' most valuable asset is your data and today that data can be stored just about anywhere.
Power outages, cyber attacks, hardware issues, and human error are all common occurrences, and when they stop you from getting work done, there are major effects; lost wages, lowered efficiency, unhappy clients, and in some cases, legal issues.
A cloud backup solution addresses each and every one of these possibilities. With backups of your data and applications in the Cloud, you always have secure and easy access to everything you need to continue working and serving clients.
What's more, cloud storage is a perfect way to reduce your IT costs. Data can be backed up directly to the Cloud without the risk of data loss, which eliminates the costs and resources associated with on-premise data storage and protection solutions.
How Can You Enhance Cloud Security On Your End?
There’s plenty you can ask your cloud provider to make sure they’re keeping you safe. But that doesn’t mean you can’t do more on your end as a user to enhance security as well.
- Identity and Access Management Controls: These controls allow you to make sure that only authorized users and approved devices have access to your Software-as-a-Service (SaaS) platform. If you rely on the default settings, you may be leaving your system open to unwelcome visitors.
- Application and Data Controls: Applications are interfaces to data, and as such, must be considered for their security in addition to other criteria of value and effect. By implementing careful data loss prevention strategies (such as data encryption), you can prevent a less-than-secure application from compromising organization data.
- Logging and Monitoring Controls: These controls are a vital part of IT security, helping you to detect security violations, alerting your team and any related third-party security support providers, as well as mounting the right response.
- Never Give Out Private Information: A basic rule in cybersecurity is knowing not to share sensitive info online. The trusted institutions with which you do business won’t ask you for your private information. They already have your account numbers, social security number, and your passwords. They won't have any good reason to ask for it again, right? If an email from a superior or external contact asks for that info, it’s likely a scam, so be sure to confirm the request by phone or in person.
- Implement Standard Protocols For Requests: Put steps in place for management to follow when asking for information or access from employees. If your employees have a clear idea of how these interactions should look, they're less likely to be fooled by a hacker posing as their supervisor.
- Always Verify Unexpected Email Attachments: A key aspect of cybersecurity awareness is understanding that, if you get an email from someone you know with an attachment that you weren’t expecting, you should confirm it with the sender. Give them a call or send them an email to make sure that the attachment is from them and is legitimate before you open it.
Waiting for another major cyberattack to start making the rounds is not the time to start looking at how to ensure your cloud is properly secured.
Like this article? Check out the following blogs to learn more:
Cloud Storage vs. On-Site Data Housing