Cloud storage’s COVID-19 boom means sharable data, better storage capability, and easier communication for remote employees. Company leaders believe the primary benefit of adopting a cloud strategy is the transfer of risk to a provider better equipped to mitigate and manage that risk on your behalf. But this growth has brought with it a greater security threats, largely through the vulnerabilities created by data delivery and exchange, says inSOC CIO Jeff Gulick.
“Many businesses ask themselves, ‘Is the cloud the safest place to put my data?’ When you look at this question from a 50,000 foot view, the answer is, yes. 98% of SMBs benefit from the security options available in Azure and Microsoft 365, and in Amazon cloud services cloud environments.”
COVID-19 Increases Users
But as companies, governments, schools, and health care systems continue to adopt a cloud strategy, users of these cloud services may knowingly or inadvertently transfer sensitive documents or data to personal computers, exposing the company data stored with Software as a Service (SaaS) providers such as QuickBooks Online, Sales Force, or Microsoft 365, potentially exposing financial or customer information. The massive increase in users means greater opportunities for cybercriminals seeking users’ sensitive and valuable content. Lack of training and experience for the end user creates the greatest risk, Gulick says.
Those threats come from increasingly sophisticated practices in social engineering, with the ability to emulate well-known corporate banners. They also use better and more varied malicious email lures to target at-home users, including email addresses similar to those of colleagues. Lastly, fake URLs now include company names with slight variations. They take advantage of end users’ large amounts of daily email, hoping for a response, Gulick said.
Gulick estimates that a majority of us already have personal data on the dark web.
“The email addresses and passwords you may have used to access breached webservices like Yahoo or Facebook are for sale on the dark web and are likely to already be in the hands of cybercriminals.”
This paired with relaxed at-home practices, including the use of personal computers, which lack the hardened security of work computers, give hackers the ability to take command and control of systems and provide an opportunity to take over email accounts to impersonate the unwitting victim. Once an account is breached, cyber criminals may launch spam campaigns, redirect your email to other email addresses, or use your cloud account to access protected information and services. High level security breaches via the cloud have had a long history.
Big Name Breaches
One study, posted on Stockhouse.com, found 925,000 malicious emails bypassed Office 365’s security system from March to August, 2020. A sharp increase in phishing occurred over the summer of 2020, when COVID-19-related misinformation and home transitions struck an adjusting workforce, the article added.
Microsoft in 2010, Dropbox in 2012, LinkedIn in 2012, and Yahoo in 2013 are a few famous cloud breach cases. In 2020, Zoom, Marriot, and Twitter all suffered cloud breaches.
What worries companies using the cloud? Cloud data losses during breaches mean financial and reputation loss to the company and its clients. That is, in part, because the company is often the source of the compromised data through an end user error.
“The ultimate threat is always the end user themselves, they are giving out their credentials inadvertently through a phishing email or contracting malware. From there cybercriminals can access information and gain all the data that they need to get access to those user accounts.”
What do attackers want? Most cybercriminals, according to Gulick, are trying to leverage your email account to send spam or to influence social or political global events.
Influence and Greed Drive Cyberhackers
Those email targets can be used for political purposes, and spread misinformation, especially from antagonistic countries seeking to influence elections or stir unrest. If they are able to send those emails from you, it legitimizes their claims.
“They also want to be able to send emails to your customers and tell them you need to send your invoices to this new bank account in Switzerland,” Gulick said. “Or your internal employee saying, ‘Hey HR, I need you to send me all of the Social Security numbers for all of our employees.’ ”
While the email might sound preposterous, with many hits, a cyberhacker can find just the right phrasing, at just the right time to lure a stressed employee, Gulick said.
To prevent this, companies need to harden their systems, and follow the CIS and NIST guidelines, which will be covered in the next Expert Corner.
In part 2, we look at strategies to protect cloud content and users.