Right now we’re in the midst of a period where the hype around cloud technology outweighs the negative.
It takes an incident like this one that’s been reported this week by our sister site SC Magazine to show what could go wrong. Attackers managed to access the servers running billing software used by companies in more than 130 countries; a system those companies use to bill their customers. SC Magazine reports that “thousands” of passwords and credit card details were exposed. It’s a type of service that many small businesses may well be attracted to.
The incident raises an obvious but critical question about the risk involved in having your data sitting on someone else’s severs and software, rather than on your own. It’s especially pertinent when the number of tasks you can move to the cloud seems to grow by the month – things like CRM, helpdesk, accounting, office, email and storage.
Is there an inherent risk in moving your data to the cloud? Is it really any more insecure than storing it on your own company’s network?
The stuff of Hollywood
Unsurprisingly, the companies selling cloud services that we spoke to about the incident above were resolute about the security of their service. Some argued that there are processes that should prevent this type of attack.
“It seems remarkable that this wouldn’t have activated some sort of alert, as the attackers would have been requesting administrator credentials,” said Nik Devidas, founder of Rock IT, which offers hosted Exchange, storage, virtual desktops from servers located in Australia through the Datasafe site.
“Ultimately, this kind of attack rests with the individual handling the call and the systems under which they work. We train our staff to be alert to any requests that appear out of the ordinary. The security system in this case simply didn’t have the right triggers in place.”
Devidas said Rock IT agrees in advance with each client whether password resets and access to certain folders must be authorised, to avoid a situation where they must rely on someone’s word that it’s ok to change something. Requests are logged and written authorisation to proceed is needed.
“But it all comes down to which provider you go with. This is why it’s vitally important to not choose your cloud provider based on price, rather base it on their capabilities,” he said.
On the physical side, moving to the cloud can ratchet up your security to the stuff of Hollywood film. Take online accounting provider Xero, which boasts 24/7 guards and biometric systems at the Rackspace facility housing its servers, as well as a range of password, access and network security measures.
If your laptop was stolen, points out the Xero web site, nothing is lost - data isn’t stored locally on your computer. They also argue that having your accountant access your data through Xero is more secure than emailing or sending your accountant discs.
Look at your own backroom
How good is your own company’s data security? Jamie Warner of eNerds, which supplies IT services to small to medium businesses in Australia, says there is an assumption by individual businesses that “no one wants to hack” them. But he points out most small businesses don't have the level of technology security of their IT providers.
It’s not out of the realm of possibility for a company to give out a remote login that could be accessed by a determined rival or disgruntled employee that they’ve sacked.
Or this: someone remotely logs in to the PoS credit card/Eftpos system sitting in your backroom, because you’ve used the default password. They exploit a known vulnerability and log PIN data, or if your particularly unlucky, take off with all the credit card data from your off-the-shelf web site shopping cart.
This month it was revealed that hackers were targeting rural shops, most with less than 50 staff. And late last year Visa estimated they had identified 40,000 Australian businesses such as independent supermarket chains, clubs and restaurants as high risk victims of this type of backroom fraud.
“When you see these credit cards that are out on hack forums, a lot of them come from SMBs,” said Darren Pauli, editor of SC Magazine. “A small business will get their mate to set up the payment network. And at the end of each day they send [the transaction data] off for processing.”
“The problem is, if no one maintains that network, it might have WiFi with no security or outdated security. And the infrastructure protecting those payment systems could be 10 years old. That’s a big thing that Mastercard and Visa are trying to address.”
For business counting every dollar, there must be a temptation to make that gamble. “Security is a black hole,“ Pauli said. “Throw a thousand dollars in it and you might not get hacked. Throw a dollar in it and you might not get hacked.”
To sum up, if you’re going to get hit, there’s evidence to suggest it could happen any number of ways, your cloud service provider being compromised is just one.