Head in the Cloud when it comes to Cyber Security?
News that the ride-hailing company Uber suffered a massive global data breach affecting 57 million customers and drivers in October 2016 has unsettled many customers and businesses alike.
Hackers reportedly obtained login details for Uber’s cloud-based Amazon Web Services account, giving them access to customers’ names, email addresses and phone numbers and drivers’ names and license numbers in the US.
In his latest blog, Cyber Underwriter Paul Gooch looks at why Cloud Computing is becoming so popular and how hackers are exposing its vulnerabilities.
What is Cloud Computing?
Despite the ethereal label, cloud computing simply refers to the provision of computer services – including servers, databases, networking and software – over the internet. The cloud functions as a huge server network allowing access to services from anywhere in the world.
Cloud computing can vastly reduce the costs of setting up and running IT infrastructure, including equipment and software, ongoing maintenance and IT staffing costs. It also provides benefits in global scaling as incremental increases in delivered IT resources are possible. However, much like any other type of business outsourcing arrangement, migration of IT services to the cloud comes with risks.
Data Security – put it on your bucket list
Businesses that rely on cloud service providers for their IT infrastructure can get caught in the trap of complacency when it comes to managing the security of data stored online. All major cloud service providers have comprehensive data security capabilities, however the security settings must be carefully managed by the user. There have been many cases where companies have assumed that the default security settings of their cloud provider were sufficient to protect their sensitive data, only to later fall victim to a data breach.
One of the most common causes of data breaches in 2017 has been misconfiguration of Amazon Web Services (AWS) S3 ‘buckets’ – the name Amazon gives to their public cloud data storage service. Recent high profile casualties of misconfigured AWS bucket breaches reportedly include Viacom, Accenture, Time Warner, Dow Jones, the Republican National Committee and the Australian Broadcasting Corporation. In all of these examples, online S3 buckets were left ‘open’ allowing anyone to view the sensitive information stored within them. However as the Uber example illustrates, even when cloud security settings are configured to restrict access using usernames and passwords, if these credentials are stolen hackers can gain access to confidential information without having to compromise company-owned IT infrastructure.
The exposure is not solely limited to unauthorised read-access of sensitive files, however. Often write-access is not restricted allowing saved files to be replaced with malware, resulting in what is known as a 'GhostWriter' vulnerability. Unsuspecting employees accessing what they believe to be legitimate data can then inadvertently infect their company’s internal systems with malware. As such, the use of public cloud data storage services can present a back-door for hackers to not only access sensitive data, but to penetrate internal networks as well.
Business Interruption – No such thing as a free coffee
Cloud-based solutions are increasingly used to integrate many different systems and software applications onto a single platform. This has significant cost and efficiency benefits, especially for businesses that operate from multiple locations across wide geographic areas. However, if a company’s global IT operations are dependent upon a single cloud provider, or if the functionality of integrated systems are dependent upon cloud uptime, any interruption in that provider’s service can have a severe impact on business operations.
In 2015, Starbucks suffered a catastrophic outage of its cloud-based point-of-sale (PoS) system meaning that payments could not be processed, impacting sales revenue. Given that all company-owned stores in the US and Canada were reliant upon the same PoS provider, approximately 8,000 locations were affected. Some stores decided to offer free coffee, while others closed completely. Although Starbucks did not release details of the revenue lost as a result of the outage, the average daily sales revenues for these stores in 2015 was around USD$30 million. Despite the improvements in cloud technology and reliability since then, Starbucks suffered a very similar outage in May 2017, again resulting in lost sales revenue. Starbucks has stressed that these outages were not due to an external breach, however such incidents serve to highlight that the efficiencies gained through the use of cloud technology can also expose businesses to critical single points of failure in their operations.
What can businesses do to protect themselves?
As recent incidents have shown, no business is truly immune from data breaches or network outages. Establishing strong risk management controls and keeping your infrastructure up to date is the first line of defence against these damaging events. When incidents do occur, it is essential that businesses respond in a quick and appropriate manner with regard to customers and regulators. One way to do this is to partner with an insurance company that provides 24/7 breach response services to advise on the immediate steps that should be taken, enable prompt engagement of IT forensic expertise, and support compliance with all relevant data breach notification laws and regulations. A swift and effective response to a data breach incident could be crucial in reducing any fines payable under the new General Data Protection Regulation guidelines that come into force in Europe in May 2018.
Take Ctrl of your exposure to the cloud
TMK’s Cyber Ctrl policy provides comprehensive cover for data breach and business interruption losses arising from the use of outsourced IT service providers, including cloud service providers. Policyholders are given access to a dedicated 24-hour emergency hotline as well as print notification and call centre services to facilitate compliance with legal obligations. Coverage is not restricted to ‘hacking’ events; administrative error – errors or omissions in the operation, maintenance or programming of the computer system – is a covered cause of loss; and cover for the financial impact of any ensuing reputational damage is also available.
For more information about TMK’s cyber products or services, email firstname.lastname@example.org.