Cloud Apps and Security - what are the risks?
With the rising use of the internet and businesses turning to the Cloud to host their data, I often hear people raising security concerns around using Cloud Applications.
What is a Cloud App?
For those of you who aren’t tech-savvy, a Cloud Application or ‘Cloud App’ is a database, email system or piece of software that is accessed via the internet and hosted in a data centre by a Cloud Service Provider (CSP). A data centre is a huge warehouse with thousands upon thousands of servers which are accessed by the public via the internet. An example of a well-known CSP might be Amazon Web Services (AWS) who rent out “rack space” (or large amounts of servers) to SaaS (Software as a Service) providers such as Xero or MailChimp.
This is slightly different to the traditional way of accessing software which was typically installed onto a single computer or physical server located in the home or office. An example of a traditional software install might be MYOB purchased on a CD-ROM which was self-installed onto the user’s computer. By contrast, Cloud Apps require no software installation, and access is gained by entering a web address from your web browser (e.g. www.xero.com) and logging in.
Like traditional software access, Cloud App’s are accessed with a login name and password. The major difference (apart from needing an internet connection to access it) is that updates and maintenance of the servers are provided by the CSP without the user ever knowing, and the software that is installed on these servers is maintained and updated by the SaaS Provider (e.g. Xero).
As a general rule Cloud App’s have a monthly subscription fee which is direct debited from the user’s bank account each month. Monthly subscriptions have really opened up excellent SaaS products to small businesses. SME’s can now afford to use superior software products without having to worry about hardware and maintenance costs. Before the Cloud, costs of purchasing servers and hiring IT people to install and upgrade systems made many software solutions unobtainable for many SME’s. A further added bonus of using SaaS products is that if the user doesn’t like the system, they can simply cancel their subscription and move onto the next.
Do all Businesses use Cloud Apps?
In a recent study by Right Scale (the leaders in providing users with SaaS products to SME’s), shows that 96% of SME’s in the USA and Europe use some form of Cloud Services whether that be public or private services, or a combination of both.
On average, SME’s use 4.8 apps in their business (that might be Gmail, Xero, Dropbox or an online CRM), and only 21% of business workloads remain outside the cloud.
Australia isn’t so advanced, but cloud app use is increasing. The Australian Bureau of Statistics (ABS) reports that only 55% of businesses in Australia use cloud systems, but only 17% of these businesses use public cloud products like Xero, Gmail, Office 365 or Dropbox. This is REALLY low compared with the rest of the world. 18% of business owners reported that they hadn’t adopted cloud computing because of:
Lack of IT skills
Fear of transition
Worries about staff skill sets
Fear of job losses if things become too automated
Change management and training can solve most of the issues on the above list, but security has been a recurring concern and continues to be so for many of the businesses I come into contact with.
What are the real threats when using Cloud Apps?
Is hacking really that much of a threat for SME’s in Australia? Well yes and no. Like driving a car, there are things you need to do to ensure you get from A to B safely. The majority of us accept that driving has risks, and wear a seatbelt, buy cars with good safety ratings, don’t drive over the speed limit, and don’t take huge life-threatening risks while driving.
Using Cloud Apps is much the same. While there are risks, there are things you can do to protect yourself and reduce the likelihood of something bad happening to your data. The good really does outweigh the bad when using Cloud Apps and adopting Cloud Apps into your business will save you heaps of time and money and cut out manual processes.
What are the typical hacks you need to be aware of and protect yourself from?
I’ve listed a few below, but don’t worry, I’m also going to tell you what you can do to protect yourself from these hacks.
Keylogger – this is a piece of software that logs the keystrokes of the victim’s keyboard to allow the hacker to gain access to passwords and bank accounts. Like most hacks, software like this is often installed without the user’s knowledge through phishing (explained below).
Phishing – this is when the hacker sends emails that look legitimate to gain access to the user’s computer. A classic example might be an email that looks like it’s from a Bank / PayPal which claims to inform the recipient of suspicious activity. It then asks the recipient to “click here” to log into their account to verify they are the account owner. The page they are taken to looks like their bank login page (this is also now a Man-In-The-Middle attack) and they type in their login and password. A message stating “thanks for verifying your details” is returned, and the recipient gets on with their day. Phishing emails now impersonate everything from Xero invoices, to PayPal and Dropbox login screens and often look like the real deal.
Denial of Service (Dos/DDos) – this is when the hacker takes down a website or server by flooding the site with more traffic than the server can handle. The server can’t process the incoming traffic and crashes. An example of a Dos attack is the Australian Census Website in 2016 when we all got the dreaded error message of denial.
Fake Wireless Access Point (WAP) – here the hacker sets up a fake WAP with the same name as yours or names it something that seems legitimate (e.g. Airport Free Guest WiFi). Once the victim is connected, they gain access to your computer and monitor your keystrokes. With this access, they can then conduct a Man-In-The-Middle (MITM) attack and intercept and alter emails or communications to third parties.
Bait and Switch – here the scammer runs adverts on social media for goods. When you purchase the product and it arrives, it wasn’t that Gucci handbag you thought it was, instead the bag is fake and doesn’t look anything like what you bought. Some people never receive the goods at all. When the victim decides to complain, the seller’s website has often disappeared. Other bait and switch techniques are designed purely to gain access to your personal information or credit card details (no goods are ever intended to be sent out) which are then used to purchase other products without your knowledge.
Viruses / Trojan Programs – these are malicious software programs that run when you click on a phishing email or download something that is illegitimate. These programs then take over your entire computer and vary in damage. Some delete programs, others lock you out, and others hold your data ransom for money.
Cookie Theft – the hacker creates a fake advert and website which asks the user to accept the sites Cookies. A cookie tracker then runs in the background allowing the hacker to gain access to personal information and surf the web as the user gaining access to passwords.
Old Fashioned Impersonation – this is when someone you know impersonates you to gain access to your systems. This can be obtained from getting your data out of the recycle bin or by getting your personal information through trusted relationships.
How do I protect my Data?
There are things that you can do to protect yourself and I’ve listed them below:
TURN ON MULTIFACTOR AUTHENTICATION (MFA) – MFA is a security measure that requires more than one mode of authentication to confirm the identity of the user before granting access to the system. It can be in the form of facial recognition, a mobile token, or a text message authentication code. Many MFA’s now include a password, a PIN and a token code or text message code to gain access to systems.
It is highly unusual for Cloud Apps to not have this feature so make sure you turn this on. To find out where to turn it on, go to the settings area of your app or email email@example.com for assistance.
Tip: Turn this on MFA Company-wide to ensure your employees are protecting your data.
TURN ON FACIAL RECOGNITION – if you have an iPhone X turn on Face ID. If you have a slightly older model use fingerprint ID. Apple had been working on Face ID for 8 years before releasing it to the public and constantly update their software. Some Android devices do also have facial recognition, but it can easily be hacked with a Photo, so don’t use it on Android phones / devices.
If you’re worried about companies giving your Face ID to government agencies just remember that Apple have repeatedly and publicly refused to provide government agencies (including the FBI) it’s users data, so your information is at this point at its safest with Apple over others, but there are always risks. My philosophy (in jest) is that if you’re a Facebook user then government agencies have all the data they need on you and more, so Face ID is the least of your problems.
CHANGE YOUR PASSWORD REGULARLY – change your passwords each month and don’t use the same password on multiple login platforms. If you’re forgetful, install or use a password manager like KeyChain to help you. Click here for an article on the best ones around.
DON’T USE Password1234 AS YOUR PASSWORD. EVER – you kind of deserve to be hacked if you use passwords like this. Just don’t do it. Click here to read about the most popular passwords of 2018. If your password is on the list and you’ve not been hacked then you’ve had a lucky escape! Use this opportunity to update them.
DON’T USE PERSONAL INFO IN YOUR PASSWORD – don’t use your daughter’s name or birthday as your password. This information can easily be found on Facebook along with a lot of personal information about you. Even if your security on Facebook is locked down, that doesn’t mean your friend’s security is up to scratch. Do you really know if Jane is the only one with access to her profile?
USE APPS THAT ARE ESTABLISHED AND TRUSTED – a team of people constantly working and against hackers is more protection than the Norton Anti-Virus software that you installed in 1999 ‘protecting’ your server. Use tried and tested apps that use encryption software. Examples are Dropbox, iCloud, iMessage, GSuite / Gmail etc.
GET A CONSULTANT TO ADVISE YOU – most business owners are experts in their business products, but not necessarily experts in cloud apps, business strategy or processes. Studies show that you will save yourself at minimum THREE TIMES the money by hiring someone to advise you on the right apps to use (and implement it for you) rather than you doing yourself – even if they charge you $220 per hour. Think about it – if you’re faffing around with install videos, researching articles and demoing cloud apps – that’s A LOT of time. Rather than working on your business in revenue generated tasks, you’ve lost yourself $1000’s in this process alone. Then add the time spent setting it up, the hiccups in implementation and integration that inevitably will happen, plus parts of the system you’ve missed out on by not knowing how it works, and your costs are anywhere from $8000 - $20000. Then, if you manage to mess it up to the point it can’t be fixed, you may have to call in a consultant to start from scratch (you would not believe how many businesses have to do this).
Most cloud systems can be installed around $3000 including training, and better still you can opt in for ongoing support. This costs a small amount each month and ensures you can ask any questions at any time and get help when you need it. When new features are released, they’ll provide additional training, and train new staff as and when required at no extra cost (or conduct refresher training). The Process Collective offers all of these services, so don’t be afraid to ask.