I don’t know how Deb Carpenter Beck does it. The longtime Sage Construction and Real Estate marketer, who can still be found on the Plumb Bob Square Rants blog, always writes about the most topical posts in the industry.
Ironically her latest blog post hit too close to home as we’re reeling with the news from one of our customers earlier this week.
One of our Sage CRE customers’ servers were hacked through their cloud-based server. The attack was so clever, so thorough, the hackers were able to pose as company employees via e-mail, producing some pretty damaging results.
And sure enough, on the same day we hear this news, Deb pens the blog post: “Six security questions you should ask your cloud service provider.”
What is the cloud and is it safe to use?
Even in our line of work, we see a lot of misconceptions about what the cloud is — even from people in the industry who should know better.
There are two main types of data storage: on-premise and “the cloud.” On-premise data hosting means an entity (company, government, school, self-employed business owner, etc.) keeps their servers in their own building and is responsible for their upkeep and protection. Cloud hosting means the entity entrusts their data storage to a third party company at a secure location.
So there’s the big, mystical cloud in a nutshell: data stored on server in a different location. It’s not mobile or web-based platforms. It’s not a SaaS model. It’s not packets of data floating around in the atmosphere. (Our own Greg Lafferty is fond of saying he’s a licensed pilot, and he’s never seen any data servers while flying.)
So that begs the question: “Is it safe to keep my data on the cloud?” The simple answer is it’s as safe as an on-premise server. There are some caveats, most of which Deb listed in her blog post, but as long as you’re entrusting your data to a reputable cloud hosting company, you’re pretty much dealing with the same security — and the same risks — as with on-premise data storage.
In both cases, you have to use some sort of connection — intranet or internet — to log into the server to access your company’s data. However, if that connection has a vulnerability, it’s open to attacks. Unfortunately, end users are often their own worst enemy by creating their own vulnerabilities.
Server safety starts at home, even for the cloud
For those who want to look down upon our customers for being fooled by a made-up e-mail, all I have to point to the big news making the rounds today about Gmail users being scammed by a sophisticated phishing scheme.
It seems that even tech-savvy people are being hit by this because the hackers use social engineering to gain the targets’ trust by using attachments that came from the hacked account. The person on the other end of the account recognizes the image in the preview, clicks on it, is prompted to enter their login info for Gmail, and boom — their account is hacked, too.
Over the past few years, I’ve said several times that you (or your cloud hosting company) can have the most modern, sophisticated and secure setup, but that still wouldn’t amount to a hill of beans if users invite hackers through the front door.
Even if your company hosts you own servers on-site, and employees are allowed to log in remotely, user-based vulnerabilities can be taken advantage of the same way they can be in a cloud server.
Let’s say I take my laptop over to Starbucks and I get set up to write a blog post. I log into our on-premise server through a VPN so I can access my stock photos. Then I get up to order my mint hot chocolate.
The cafe is busy enough so that other patrons would notice someone taking off with my laptop. However, the bustle provides the perfect cover for a hacker to move past my computer and surreptitiously stick a USB drive containing an executable virus. In the seconds it would take him to load the malware on my computer and pull out the disk, he could conveniently stop to tie his shoes, have a coughing fit or check a text message on his phone.
In less than two minutes, the hacker has successfully hacked my computer because I left it on unattended in a public place. And there’s not an antivirus/anti-malware/encryption program on the planet that could stop that kind of an attack.
Is there anything that can prevent these cyber attacks?
There are two main ways to prevent social engineering attacks on cloud-based and on-premise servers: education and use two-party authentication.
By teaching employees to recognize every e-mail and every login to a server as a potential threat, even the most technologically inexperienced people can successfully avoid most attacks. It doesn’t take a computer science degree for someone to recognize when they’re being fooled.
Think of the “Nigerian prince” scam from years ago. The news of that type of cyber crime became so synonymous with e-mail scams that I doubt anyone would be fooled by it these days. It was mass education that eventually stopped that scam.
It wouldn’t hurt for companies to have a meeting once a year to educate their employees about the latest social engineering scams that are targeting businesses. Or, at the very least, help your employees by sending out e-mails warning of reported scams.
Many online companies (e-mail services and video games especially) have enacted two-party authentication. By supplying an alternate means of verification, such as a cell phone number, the host can contact the account holder if there’s an unusual attempt to log in. This can be an attempted login from an unknown IP address or too many wrong password attempts.
But two-party verification doesn’t have to be complicated, especially for a small business. It can be as simple as walking down the hall or picking up the phone to see if a co-worker actually sent an e-mail before acting upon it.
A company can also enact a safety net in case a hacker gets through security, like coming up with a code phrase. If a C-level employee requests over X amount of money, or sends an odd request in the middle of the night, the e-mail recipient can ask that manager for the code phrase. As long as this code phrase is never sent via e-mail, it can’t be hacked and used against the company.
The other part to that sort of verification is that the C-level employee must be willing to accept their employees to question their instructions, especially if they seem out of place. I’m sure any CEO worth their salt would rather have a data clerk ask if they really want to transfer a huge chunk of money to separate bank account rather than losing that money forever.
Please let our customer’s story be a lesson for everyone out there. You can have top-of-the-line security in-house or in the cloud, and it can still backfire through social engineering.