Looking after customer data is a huge responsibility for any business and it’s easy to spend all our time worrying about digital security protections, but in the end breaches can come down to something as mundane as who’s dating your sister…
Security is the same the world over whether it’s someone pick-pocketing you, breaking into your flat to get your Xbox or stealing thousands of credit card details from an airline e-commerce site. Every burglar from the common to the high tech relies on the same thing: Humans doing human things.
Burglars tend to rely on human negligence to enter homes, with the majority of break-ins being committed by burglars who live nearby and are familiar with home owners’ daily whereabouts. And get this: up to 65% of burglars know their victims!
It’s pretty similar in the digital world as Sophie Daniel (a.ka. Jek Hyde), a physical penetration tester and information security consultant, well knows. She specialises in social engineering security assessments, helping businesses to test their security structures by focusing on breaching its weakest point: humans.
Like any other burglar, Daniel relies on employees working in high security environments to simply let her in. Which they do, alarmingly regularly. Because they’re human.
We trust other humans and are willing to accommodate them despite safety rules put in place to prevent this, or red flags that suggest we do otherwise.
Daniel tells a fascinating story about how she did a basic online background check on an employee of one such company, and how it allowed her to social engineer her way through that employee and eventually other employees. She gained access to highly restricted areas simply by engaging people’s personal interests, passions and humanity, and so winning their trust.
OK, but what does all this have to do with breaching cloud security?
Anyone can unlock the cloud
A new report released by Kaspersky just last week, suggests that 90% of data breaches in the cloud are caused by humans. The report warns that while organisations are primarily worried about the integrity of external cloud platforms, they are more likely to be affected by weaknesses far closer to home. Social engineering techniques make up 33% of these incidents with only about 10% being caused by cloud providers themselves. The rest is made up of targeted attacks and negligence.
Businesses rely largely on a cloud infrastructure provider for cyber security but the real threat to their customers’ data are their own employees and internal security systems.
Which internal security measures can prevent cloud breaches?
‘Our research shows that companies should be more attentive to the cyber security hygiene of their employees and take measures that will protect their cloud environment from the inside,’ warns Maxim Frolov, Vice President of Global Sales at Kaspersky.
My company, Skynamo, recently became one of relatively few tech providers worldwide to achieve the global benchmark in data security – ISO 27001:2013 certification – to protect its customers’ business data. It focuses on securing the physical, technical and human points of weakness.
In particular, it ensures the following:
- Customer data is only used for the purpose of the service we commit to provide
- We adhere to customers’ unique requirements for data-handling
- We do not share customer data with unauthorised third parties.
- Customer data is accessible only to a very restricted team of individuals at Skynamo. They have received training on how to handle your data appropriately
- We store customer data separately, keeping it distinct from other customers’ information.
- We properly protect backups of customer data.
- We delete data that is no longer relevant.
The measures Skynamo takes to ensure our data remains secure in the cloud:
As we all know, our greatest strengths and weaknesses are usually related. Our employees are our best line of defense against a cyber threat. They are our eyes and ears on the ground.
Awareness, education, a security culture, and where necessary, specific training are key elements in preventing a social engineering breach at Skynamo.
Skynamo actively fosters a security conscious culture. Through continuous awareness and training initiatives, encouraging the reporting of anything that doesn’t feel right. This can be anything from a strange looking link in an email, to a suspicious person loitering at reception.
How Skynamo Secured ISO Certification and Protected Customer Data
Achieving and maintaining data security was no small task for Skynamo. We had three main objectives: securing customer information, product information, and company information. Maintaining these standards requires consistency and keeping security top of mind every day.
Step 1: Engaging the Right Experts
Our first step was bringing in the right team to align our practices with ISO 27001 standards. This involved working with independent certification service providers qualified to conduct audits, provide recommendations, and grant certifications.
Step 2: Comprehensive Risk Assessment
ThinkSmart guided us through the process, identifying the various data security risks Skynamo faced. They ensured that we implemented the right controls and measures to reduce these risks to acceptable levels.
The audit looked beyond basic data storage. It evaluated how employees handle data and assessed the physical security of the premises where we conduct our daily operations. This comprehensive approach covers all aspects of our cloud and on-site data security.
Step 3: Why ISO Certification Matters
With data breaches on the rise worldwide, ISO certification is more important than ever. As of 31 December 2017, only 7,478 IT companies globally and just 69 companies across all sectors in South Africa were ISO certified.
We strongly recommend that businesses work with independent certification service providers to assess their data security risks and implement ISO-compliant controls to protect against breaches.
Sources:
Humans cause most cloud breaches
%20anyone%20can%20do%20it){kind=link}