Accounting in the cloud – the light and the shade (part 2)

Concluding a two-part article from IASME Consortium on basic cybersecurity principles

original

The security of customer data held in the cloud is essential. You and your clients must have a strong cybersecurity process in place. Catch up on part one of this article before reading on below.

User access control

User access control covers the precaution of controlling who can access your devices, accounts and data and what they can do once they have access. This is essential for all cloud service accounts.

An IBM survey in 2016 revealed that 60% of all cyberattacks are orchestrated internally. A rogue employee can use their knowledge and access to company information to steal data or commit fraud, or an employee can threaten security with an unintentional mistake.

This can be prevented when you use the rule of ‘least privilege’ and configure accounts with in-depth permission settings that allow staff to access only information that they need to perform their role but no more. Administrative accounts must be restricted, kept track of and not used to carry out everyday tasks. Admin accounts typically have the greatest level of access to information, applications and computers and, if accessed by attackers, they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes.

You should have a comprehensive policy that details the processes for creating and controlling accounts with special access privileges including how and when to revoke access to information in a timely way when a member of staff changes role or leaves the organisation.

Secure configuration

Setting up your accounts to minimise the ways a criminal can get in is essential for all cloud services. Many software packages come with additional accounts or features that you do not use; these are simply unnecessary access points that could be used to break into your account and steal your data. Disable or remove any services or accounts that are not required for day-to-day use.

Passwords are still currently the main method securing access to almost all our different accounts and the data they are holding. Have a clear password policy that applies to everyone in your organisation including contractors.

This should include:

  • how to create good passwords using three random words or a random generated password created by a password manager (your password policy will specify which one and how to use it)
  • there needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised
  • enable multi-factor authentication (MFA) to all accounts on all of your cloud services
  • provide clear advice on good password hygiene such as not using guessable passwords (eg children or pet names), not re-using or sharing passwords and storing them securely on a password manager or locked out of sight.

People and processes – educate the users

When using cloud services, it is necessary to set up separate policies on each individual service and ensure that all access is controlled. It may be necessary to update staff about the functions and responsibilities in the cloud with training and information courses on each chosen cloud service. Google, AWS and Microsoft all offer a range of certifications and cloud computing training programs for their platforms. The goal is to get companies that aren't as familiar with cloud to be comfortable with modern techniques and practices.

The shift in focus has to go from the technology to business processes where the cybersecurity controls that protect user accounts influence and inform the behaviour of the users. Password hygiene, the use of admin accounts and MFA, and being accountable for account security become part of a security culture in an organisation where cybersecurity is prioritised by senior management.

The wide adoption of cloud services is not the only growing security challenge facing modern organisations. Home working and the use of privately owned devices for work mean that more workers than ever are working outside the boundaries of the company’s secure network. Bring Your Own Device (BYOD) is a widespread term for when a company allows employees to use their own laptops, tablets or phones for work purposes. This can pose some serious risks to an organisation’s security and privacy. A Bring Your Own Device policy can help an organisation control and protect their company information.  

Cyber expertise

In the past three years, the cybersecurity sector has grown exponentially and, consequently, IT and cybersecurity staff are in short supply. Organisations can use internal experts, external consultants and third-party providers. It is worth noting that accredited, listed companies that offer IT solutions may not always be well versed in cybersecurity practices. A cybersecurity consultant is often needed in addition to IT support.

Prove that you are secure

The Cyber Essentials scheme offers businesses a simple and affordable way to tackle cybersecurity and covers the basic technical controls that will help protect organisations from a whole range of the most common cyberattacks.

If you need help preparing your organisation for Cyber Essentials, there is a free online tool that helps you gauge your current level of cybersecurity in relation to where you need to be to achieve Cyber Essentials; read The Cyber Essentials Readiness Tool.

Apply to the Cyber Essentials scheme.

Both you and your clients could also benefit from looking at our useful ACCA and partner guidance and resources on cybersecurity.