Using cloud services has a lot of benefits, one of them being the better security for your data. Of course, there’s nothing 100% safe, but in the case of the cloud, the main vulnerability is… the people.
This is what a recent report by Kaspersky Lab shows. It turns out 90% of corporate data breaches in the cloud happen because of human error. Mostly it’s phishing, social engineering or other similar vectors which result in the employees’ access data being compromised.
It’s a problem for everyone
The survey breakdown shows, that the results are similar for organizations of all sizes. 88% of SMEs say their breaches were due to employee issues and 91% of enterprises say the same. In contrast, only 11% of breaches can be blamed on issues with the cloud provider.
In 25.9% of the cases, attacks are targeted. But in 33.4% the attacks are via social engineering. Hackers always go for the easiest possible route. These days this means turning their attention to the users.
“The first step for any business when migrating to public cloud is to understand who is responsible for their business data and the workloads held in it. Cloud providers normally have dedicated cybersecurity measures in place to protect their platforms and customers, but when a threat is on the customer’s side, it is no longer the provider’s responsibility. Our research shows that companies should be more attentive to the cybersecurity hygiene of their employees and take measures that will protect their cloud environment from the inside”, Vice President of Global Sales at Kaspersky Lab, Maxim Frolov says.
So, what to do?
Training, training, training. You have to make sure employees know the risks of phishing and other social engineering attacks. Hackers are very creative these days and can devise of all kinds of scenarios in order to trick users to give up their data or to click on an attachment with malware.
And while most employees would say “yeah, yeah, I know”, most really don’t. They do know that it’s a possibility, but think they will catch on to it or that someone higher up the chain would be the target instead of them. That’s the first and biggest mistake they make and usually the one that leads down a path of lots of issues.
So, just explaining the risks to them won’t be enough. Additional training will help to educate them about typical attacks and scenarios. Also, make sure there are protocols and procedures in place, so that employees know what to do in case they are attacked or suspect something.
Of course, don’t underestimate the rest of the cloud security measures. This should include protection for mail servers, clients, browsers. While they might not be part of the cloud service, they interact with it, so you have to make sure they are well secured, as well.