Why cloud security best practices mean engagement from vendors and employees

Matt Kingswood is the Head of Managed Services of Midlands and London-based ITS, a provider of Managed IT services across the UK. ITS is part of the US Reynolds and Reynolds company which has a strong heritage in data backup and recovery services. In his position, Matt is responsible for developing Managed IT services within the UK and is currently focused on the next generation of cloud and recovery products. Matt has more than 20 years of experience in the information technology industry, and was formerly CEO of The IT Solution – a full service IT Supplier acquired by ITS. Since joining ITS, he has led efforts to introduce a range of managed services based on the new ITS cloud platform. Previously Matt had a career in technology for several top tier investment banks before founding and selling several companies in the IT services industry. Matt has an MBA from The Wharton School of the University of Pennsylvania and a Master’s in computer science from Cambridge University.


Ransomware may be the hot topic in the news at the moment, but human error is a greater threat. Human error, in fact, is often the reason ransomware is able to infiltrate a network (by staff members clicking phishing links, for example). It’s also one of the greatest causes of data loss in the cloud. The first part of this series discussed how cloud vendors, shadow IT and lack of employee cybersecurity education can increase the risk of human error. But how do you mitigate these threats? To start, follow the advice below.

Ensure your cloud providers are equipped to fulfil your compliance requirements

If a vendor will be handling sensitive data in the cloud, first thoroughly vet the vendor and ensure that the solution is adequately equipped to adhere to the requirements of the EU’s General Data Protection Regulation (GDPR). In addition to requiring companies handling personal data to report data breaches, the GDPR promises citizens the right for data to be forgotten, easier access to one’s data and a right to data portability.

What this means for you is that you need to know how your customers’ personal data is processed and be able to communicate that information clearly. You also need to ensure data is available so it can be easily transmitted between service providers (another reason you must have reliable backups) – unless an individual invokes their right to be forgotten, in which case you need to be aware of everywhere that data is stored and delete it. In the event a vendor accidentally deletes data, you need to know how the service provider plans to remedy the situation (the below section addresses this point further). (Note that these are only some of the requirements of GDPR. For more about Data Protection Reform, click here.)

Files should remain encrypted in transit and at rest, regardless of whether the data is subject to the requirements of the GDPR.

Review vendor SLAs

It’s important to verify that the vendor offers service level agreements (SLAs) that provide adequate recourse in the unfortunate event that data is lost. Be aware that SLAs are not equal to terms of service.

Whereas a vendor can change its terms of service without notice, they can’t change the terms of an agreement you’ve signed without your being aware of it. When reviewing an SLA, ensure that the vendor can restore your data within your recovery time objectives (RTOs). For example, Lukas Hospital in Neuss, Germany, had complete backups of all systems in place, but when it was plagued with TeslaCrypt 2.0 ransomware, the hospital estimated that it would take up to 48 hours before its IT environment was fully functional again. As a result, 20 per cent of the hospital’s surgeries had to be rescheduled, and less critical care had to be temporarily shifted to other hospitals.

Backups are the key to protecting yourself from data loss, but backup services provided by a vendor must be backed by SLAs and must meet your RTOs.

Educate employees about security best practices

To protect against threats, employees need to be aware of:

  • Who might view data. In addition to verifying that they’re sending data to the appropriate recipient, they should consider who else might be able to access the information. If uploading data to the cloud or placing it in a shared folder on a local area network, are there others who also have access to it? Are the files encrypted to deter unauthorised access to the data?
  • How to identify phishing emails. Instruct employees to view emails with a critical eye. Warning signs include poor design, incorrect spelling and grammar, requests for personal details, suspicious attachments and URLs that don’t match the company’s primary domain (to view a URL without clicking a link, users can hover over the link with their cursor).
  • Procedures for responding to a suspected ransomware attack. If employees encounter any suspicious activity, instruct them to notify IT. If a device is affected by ransomware, they should know to stop working on the affected device immediately.
  • Why it’s important to apply security patches. New security threats are continually emerging. In response to these threats, hardware and software developers create security patches that protect the device or application. Employees need to apply these updates promptly to ensure the company’s data and network are secure.
  • How to create secure logins. Encourage employees to create complex passwords that involve special characters, numbers and a mix of lower- and uppercase letters. Whenever possible, use two-factor authentication to increase security.

Taking these precautions reduces the chance of unauthorised access to data as well as ransomware taking your data hostage.

Create a culture of security

Your best defence against security breaches and data loss is creating a culture of security that begins from the top down and is supported by clear, enforceable policies.

Creating a data handling policy should begin with classifying data according to how sensitive it is. Personally identifiable details and health information, for example, should only be accessible to those who need that information to carry out their job duties. Set in place clear consequences for access to and use of that data outside of a person’s job duties.

You’ll also want to put parameters on how users access data. One of the greatest threats to data is employees who can access company files, databases and applications whenever they want, using whatever device they please. Although most UK businesses (95 per cent, according to a BT study) permit bring your own device (BYOD) practices, security is sorely lacking. BT’s research shows 41 per cent of organisations have suffered a mobile security breach, 33 per cent grant users unbridled access to the internal network, and 15 per cent lack confidence that they have the resources to prevent a breach.

It’s important to establish a BYOD policy that addresses issues such as data security, remote management, data transfer, backups, data wipe and technical support (office or field based). If you work with a managed services provider for your IT support, check to see if the vendor can assist with developing and supporting your BYOD program.

Creating a security culture where the IT department strives to address security issues while acting as a trusted adviser will also reduce the risk of shadow IT, as users will be more likely to enlist IT’s help in selecting and implementing cloud solutions.

There’s no denying that cybercriminals are targeting businesses with more sophisticated and frequent attacks – but you can’t afford not to address the threats within your own walls. By holding cloud vendors accountable through SLAs, reigning in shadow IT, educating employees and creating a culture of security, you can reduce your risk of cyber threats and minimise data loss. 

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *