Years ago, when the cloud was just emerging, we often received requests from clients asking if it was safe.
Being in the security game for years has taught us to question everything, especially new and untested technology.
We urged clients to exercise caution when adopting a cloud practice. As time went by, cloud adoption increased, and it became almost too tempting for clients not to make the switch to cloud. The cloud provides some inherent benefits that most organizations find appealing. Some of these benefits include:
- Cost savings
- Increased Collaboration
- Disaster Recovery
- Loss Prevention
- Automatic Software Updates
- Competitive Edge
It is no wonder that most businesses have made the jump to some form of cloud service. Cloud adoption has seen a dramatic uptick in businesses across the world and most businesses have enterprise data floating around on more than 16 different SaaS cloud platforms.
An assumption is often made when adopting a cloud strategy that since one is storing their data in the cloud, that data is automatically secured. That is often how cloud and SaaS platforms are marketed and it is just assumed that your average big cloud vendor has legions of security engineers available at their disposal. Because of these assumptions, many organizations move their IT personnel elsewhere to focus on other IT-related items (or just minimize their IT budget) and forget about the cloud as it takes care of itself. The reality of the situation is far from the truth of the assumed inherent security, and while many SaaS platforms do employ security teams to make sure their security is tight, “people are fallible and prone to error and cyber criminals are always watching and waiting for a weakness to exploit.”
The compliance and security challenges of making sure the cloud is protected are staggering and the industry has not had a chance to catch up.
We are still in the “wild west days” of could security and it is a lawless world.
A Target Too Tempting to Resist
The adoption of public cloud has led to a dramatic increase in cybercrime. So much so that 1 in 5 small to medium businesses report that they have fallen victim to a ransomware attack. This should not be happening, but the reward is just too appealing for hackers to stop. Imagine, only having to target one SaaS provider, or one public cloud offering and you have access to all of the clients data that uses that cloud? You have effectively leveraged your work and instead of spending countless hours breaking into each client individually, you break the cloud service and get the keys to the kingdom. Hackers are getting smarter and more creative with their tactics and the business of cybercrime is growing. With that, the average ransom payment by quarter has seen tremendous growth as well. The chart below provides a glimpse into the metrics.
The average ransomware amount demanded by ransomware attacks in Q1 2020 was $111,0605. This was a third higher than it had been in the final quarter of the previous year.
The Attack on Critical Infrastructure
A new and devastating trend has emerged in the US in the last year and that has been in attacking critical infrastructure (gas pipelines, meat processing plants, the energy sector, logistics companies, etc…) In our portion of the world, we have seen ransom demands on critical infrastructure reach as high as $3 million USD per incident. Companies cannot afford any downtime and trying to get their data back from a ransomware attack can take days or even weeks. That is precious time without access to critical systems. Vulnerabilities in SaaS platforms often make great entry points into companies’ private data and from there, it is only a matter of time before the weakness is exploited. Unfortunately, these attacks are on the rise and there is little sign of them slowing down. Recently, the World Economic Forum met to discuss the threat to critical infrastructure and some of the results of sustained critical infrastructure attacks. Its findings can be found in this report.
The purpose of this post was not meant to scare, but to inform the reader that the security situation around cloud adoption is less concrete than vendors would like let their clients know.
Hackers often look for platforms that are used by many people and develop tools as well as techniques in order to exploit those platforms so that they can have a bounty of treasure as opposed to just one company. When selecting a platform to use in your business, make sure that you have data backed up and follow security best practices when using it.
Change your passwords frequently and make sure they are complex. There is a saying in the industry that “only the paranoid survive.” With cloud technology, it doesn’t hurt to be a little paranoid. After all, your business is at stake.