Remote working in the cloud: what’s the risk?

Businesses are relying on cloud to maintain operations during the pandemic, but what are the risks and how can they protect themselves from vulnerabilities?

The cloud has proved a lifeline to many organisations during the coronavirus pandemic. It has enabled a swift transition from office to home working, allowed firms to scale quickly in the switch to digital services and continues to underpin their day-to-day operations. However, one aspect of the cloud continues to cause concern: security.

Forty-one per cent of organisations still believe the office is a safer environment from a cybersecurity perspective, according to research from the Cloud Industry Forum. But what is it about working over the cloud that prompts such concern for organisations? Many of the doubts focus on data loss or a perceived lack of control over their data.

“Many businesses that have held back from adopting the cloud have done so through fear their data could be leaked. This stems from the fact that the cloud is a multi-user environment where multiple resources are shared,” says Lisa Ventura, chief executive of the UK Cyber Security Association.

Many businesses that have held back from adopting the cloud have done so through fear their data could be leaked.

“The basic value proposition of the cloud is it offers near-unlimited storage to everyone. Data is often stored along with other customer’s data, leading to potential data breaches via third parties. 

‘With the use of cloud services such as Google Drive, Microsoft Azure and Dropbox becoming more mainstream, organisations must deal with newer security issues such as the loss of control over sensitive data held.”

Disappearing perimeters

Some industry experts, however, argue it’s not necessarily working over the cloud that heightens the security risk, but because many usually office-based staff are now working from home and therefore outside the security protection their office networks would usually provide.

“The cloud is another evolution in the dissolution of the perimeter. One of the key benefits of cloud is it enables access to critical data from anywhere at any time, but this creates problems for IT as it takes vital data outside their purview,” says Ian Pratt, global head of security for personal systems at HP.

Compounding this, the pandemic-driven transition to remote work was hastily enacted by most organisations. Quickly establishing could-based remote working runs the risk of misconfigured software as a service or cloud services.

“Much of the resulting security incidents we have seen are due to poorly thought-out remote work configurations than cloud usage,” says Jim Reavis, chief executive of the Cloud Security Alliance.

Practical measures

There are, however, practical steps companies can take to limit their vulnerability within the new work environment. These include controlling who has access to company data and taking passwords and encryption more seriously.

Cloud encryption is critical for protection, as it allows for data and text to be transformed using encryption algorithms and placed on a storage cloud. Similarly, organisations should implement two-factor or multi-factor authentication, use distinct original passwords and consider passwords with SMS, biometric fingerprint requirements and smartphone access control systems.

But it is just as crucial companies engage their employees in taking cloud and cybersecurity seriously. Technology cannot provide all the answers and employees are the first line of defence against cyberattacks. This is particularly important with phishing attacks currently at an all-time high; across Europe there was a 667 per cent increase in phishing scams in just one month during the pandemic.

“Being aware of what to look for would prevent falling victim to a phishing email,” says Ken Roulston, managing director at IT services provider CMI. “While it’s not nice from a cultural perspective, you have to operate a zero-trust policy. It’s like someone knocking at the front door of your house; you don’t always open the door to everyone and you certainly don’t let them in unless they are a known and trusted person.”

When employees are actively involved in protecting company assets, they are more likely to take ownership when it comes to security measures

This zero-trust model advocates that no user or system, either inside or outside the cloud, is trusted until they have been verified. Key is deploying a robust cybersecurity awareness training programme that involves the entire organisation. 

Cybersecurity training

“When employees are actively involved in protecting company assets, they are more likely to take ownership when it comes to security measures,” says Ventura.

However, this is an area still neglected by many organisations, according to a recent study by cybersecurity firm iomart. It found that while almost 20 per cent of firms said they had seen an increase in cyberattacks due to remote working, 70 per cent conceded the business did not currently offer cybersecurity training to all employees.

So how can organisations approach cybereducation for employees, particularly when in-person training is off the table?

“Although it is more difficult to implement training while employees are working from home, it is not impossible,” says Ventura. “Elearning, for example, is particularly useful with a remote workforce. It is scalable and easily deployed to the entire organisation and studies have shown it produces better learning outcomes.”

At the same time, the security team will have to play a much more active role, says Amanda Finch, chief executive of the Chartered Institute of Information Security. “Security teams need completely new skills, not only technical abilities, but the ‘soft’ skills necessary to engage and manage their co-workers, teach them the risks and how to reduce them, and act as a coach or mentor for those who will need a guiding hand to begin with,” she says.

With nearly half of companies saying they intend in future to allow employees to work remotely full time, it is crucial they not only deploy technologies to protect them in the cloud, but also develop a culture of awareness and reporting within the workforce to help defend staff from cloud-based threats.