storm trooper action figure placed next to a computer
PHOTO: Liam Tucker

A recent phishing attack on Office 365 compromised SharePoint files across many organizations that use the Microsoft productivity suite. This was hardly the only attack on enterprises in the past year. New research from security vendor SentinelOne has revealed that ransomware attacks alone have rocketed over the past year and are costing individual businesses an average of $833,716.53 per annum. The research surveyed security professionals (registration required) at 500 organizations around the world with at least 1,000 employees.

According to the research, almost seven in 10 (69 percent) respondents reported the most successful ransomware attack resulted in the attacker being able to encrypt some files/data, with five percent paying the ransom to decrypt the data. Of those whose organization has suffered a ransomware attack in the last 12 months, 69 percent said the ransomware attacker gained access to their organization’s network by phishing via email or social media network.

In light of this and other attacks that target data, what can enterprises do? A lot it seems, with much of it being just common-sense precautions. And although moving to the cloud is a sensible option, it doesn’t mean you can leave security to the cloud provider, according to Jesper Theill Eriksen, CEO of Copenhagen, Denmark-based Templafy. He said just because you have made the decision in favor of migrating to the cloud doesn’t mean that you have offloaded all your risk to the cloud services provider. Most cloud providers operate under the “shared responsibility” approach, meaning that both the provider and the customer are responsible for security. 

“You are likely responsible for the data that is being stored outside your business, which in the event of a breach makes you the most liable for any third-party damages or compliance penalties,” he said. Below are other steps an enterprise can take.

1. Enforce Access Controls

While your data and applications may be under the control of a cloud provider, you control the user access. And this is your most significant point of vulnerability. Through 2022, according to Gartner, at least 95 percent of cloud security failures will be the customer’s fault. IT should look to the “principle of least privilege” by configuring read and write permissions so they are granted only to those who need them. Enforce multi-factor authentication to help ensure people are who they say they are.

Related Article: Digital Supply Chain: Privacy and Security Considerations

2. Introduce Holistic Management View

A provider of cloud infrastructure services is responsible for reliable, efficient and secure performance of the hardware, but you are ultimately responsible for making sure your guest operating systems are fully patched and compliant with security baselines. Experts advise using a single management platform to get a holistic view of security across all environments. Microsoft Azure, for example, provides management tools for looking across all cloud and on-premises systems. Also, consider turning off virtual machines no longer in use, thereby preventing an attacker from getting inside an under-monitored cloud VM and then moving around inside the cloud infrastructure to plunder more lucrative targets. Doing this can also cut down on unneeded costs.

3. Monitor Employees

Trent Pham, who is in charge of security products for Little Rock, Ark.-based Windstream Enterprise says employees also play a key role and shared four different employee actions that enterprises can take. The first is monitoring employees. “Most employers take great care in protecting all employee personal information they store, such as social security numbers and credit cards used for travel. When that care doesn’t extend to making sure employees, themselves are taking effective measures for protection, the result is multiple points of potential compromise that can severely damage an enterprise’s brand,” he said. Pham's other recommended actions follow. 

4. Apply Unique Passwords

Advise employees to use a unique password for each vendor site they access. It’s unfortunately common for people to use one password for most, if not all, of the sites they routinely visit. Many who follow this practice assume that if they re-use a strong password not easily guessed, they’re covered. Yet if all vendor sites have the same password for an employee, and any one of those sites gets compromised, the time it takes to compromise all sites involved is greatly reduced — making it much more difficult to prevent further damage from the intruder.

Related Article: How to Get Employees on Board With Security Changes

5. Offer Email Education

Maintain an ongoing anti-phishing campaign. Cyber thieves who orchestrate phishing campaigns are gaining in sophistication, and many of the emails they send are not immediately identifiable as coming from someone other than the purported sender. That’s especially true when the email is personalized and addressed to the recipient’s business email address — and knowing the format of a single employee’s email address makes it very easy to personalize phishing emails for others. Encourage employees to report any suspicious emails they receive rather than open them or respond, so that you can block emails from that source and alert other employees that they may be targeted.

6. Don't Forget Physical Protection

Extend security policies to physical measures for documentation. Dumpster-diving is alive and well, and often turns up the documentation employees print for internal use that includes personal identifiable information or confidential information that could be used against the company, such as meeting notes. Make sure employees have easy access to paper shredders, and that they understand the need to use them for all documents containing information of any degree of sensitivity.

7. Introduce Encryption

Steve Pritchard is a business consultant for Leeds, England-based ASPLI. He said one of the first stages of protecting a company’s data is using the correct encryption, especially in the realms of small businesses where there may not be the budget for some of the more advanced programs. There are a range of ways to convert sensitive data into safe codes, popular choice is to encrypt the incoming and outgoing data behind a Firewall, which means you can encrypt data at an individual level and keep a firm hold of private information.

Related Article: Why Email Encryption Still Has a Long Way to Go

8. Introduce Effective Data Management

Tinton Falls, NJ-based Commvault chief technologist, Randy De Meno, advised users of Office 365 — and other productivity suites — to make data stored across the system accessible to those working in the system. “It’s important for Microsoft enterprise customers to enable Office 365 content to be searched with everything in the enterprise across any on-premises, multi-cloud or hybrid IT environment.” he said.

Ultimately, though, he said protecting data is an enterprise responsibility. Whether using Office 365, Google Suite, or another SaaS, in the end an enterprise is still responsible for protecting, managing, governing and leveraging the data in these cloud-based applications. Without a smart, modern data management and protection strategy in place, enterprises risk losing data, finding themselves not in compliance with data privacy or other regulations, or unable to quickly meet AI, e-discovery or other legal requests for data.

9. Involve IT

Brian Gill, CEO of Gillware Data Recovery agreed that putting data in the cloud does not shift the responsibility for data protection to the cloud service provider. Instead, IT departments play a key role. “The critical concept to understand is the IT community has not magically been absolved of their responsibilities to backup and protect this data by the cloud service provider. If anything, I believe the burden has increased by taking this business data off-premise. While it’s a big misconception that the cloud is just a server, (it’s a lot more robust than any one piece of commodity hardware if we’re talking about a true cloud) these need to be configured properly for redundancy, security and volume-level point in time rollback capabilities."

10. Develop a Retention Strategy

A lot of organizations need to ditch data after seven or 10 years, both from a cost savings perspective and / or a liability perspective, so it’s not just about backup but truly understanding the organization’s retention requirements. For organizations under regulatory pressure, the default settings of out of the box cloud solutions don’t get the job done. It’s important to replicate private cloud data to a completely different service provider. Those backups need to be complete, platform-agnostic, and most importantly, the organization must audit them for completeness, understanding, and documenting the steps to switchover, and practice those switchover events intermittently.