What does a leprechaun have in common with cybersecurity? Why, the Pot o’ Gold, of course! Just like a leprechaun uses any trick possible to protect his Pot o’ Gold, or POG (gotta have an acronym, right?), we cybersecurity folks must use every reasonable tool and technique available to protect our client’s POG.
Your POG is the system(s) or data without which your business is sunk. In the beforetimes, everyone’s POG was on their local office network on a server in the closet. So, IT professionals rightly focused on restricting access to the office network using firewalls, VPNs, and usually Microsoft Active Directory. It was a simpler time – just keep the big, bad internet out of the network, and sleep well with sweet dreams.
Who moved my POG?
Now it’s 2023, and most businesses have moved the POG outside of their cozily secure office networks to … THE CLOUD (dun, dun, dunnnn). Everybody now has something — Microsoft 365, Sharepoint, OneDrive, Dropbox, Salesforce, Quickbooks Online, property management systems like Yardi, case management such as Clio, ERP, and payroll systems. The cloud is great, because it allows you to access your POG from anywhere. But wait a minute, doesn’t that mean it can be accessed from anywhere? Like Russia, Ukraine, Nigeria, and North Korea anywhere? Yep.
“But, but … isn’t the cloud secure?!”
Well … maybe.
By default, many cloud applications still just require the basic username/password for access. And we all already know your username. It’s your email address. (Shhh, don’t worry, we won’t tell.) Often, the internal person in charge of implementing the cloud app has no knowledge or awareness of cybersecurity at all. It could have been someone in marketing, or even the receptionist. Then your entire Pot o’ Gold could be open to The Big Bad World, protected only by the receptionist’s password, which happens to be the same one she uses for Facebook, Instagram, and TikTok.
Many folks assume that just because their POG is “in the cloud” that it’s secure, or that it’s the cloud’s problem at least. Nope. Read your end user agreements. Cloud providers employed armies of lawyers to push any liability onto YOU. It is YOUR responsibility to protect your identity (login). Your cloud provider has zero liability if Russia logs in using your correct credentials that they stole from a previous breach where you used the same password.
“Well, at least the cloud is backed up, then.”
Sadly, also no. People assume that their POG in the cloud is backed up by default, because … cloud. That can be an extremely dangerous assumption. Unless you are specifically paying for backups (ideally to a third party), your data is very vulnerable. The free Dropbox account, for instance, which many small businesses use as their primary storage and file sharing method, includes no backups or security features whatsoever. A dissatisfied employee or a hacker could delete everything in that Dropbox account, and it would be gone forever – at best, years of work lost, a closed business at worst.
“My cloud app is HIPAA compliant, so I’m good.”
Sorry to be Dr. Nope, but this one’s dangerous, too. Just because your medi-POG is in a HIPAA-compliant data center environment does not mean that YOU are HIPAA-compliant. Again, it comes down to being YOUR responsibility to protect your identity, which is what allows access to the HIPAA data. 91% of cyberattacks begin with a phishing email link. 19% of users will click on a phishing link. It is only a matter of time. The security measures that HIPAA requires to be in place and routinely documented are designed to mitigate a full-on breach event WHEN someone clicks on an evil link. And this compliance is YOUR responsibility, not your cloud provider’s.
So what to do? Fortunately, the answer is pretty easy. Engage with IT and cybersecurity professionals to identify, categorize, and prioritize your POGs. Ask yourself for each, “how bad would it be to have this data get out or be destroyed.” Some data is public, some is sensitive or confidential, and some is catastrophic or business-ending. Once you have prioritized your POGs, work with your security partner or team to secure each location or cloud provider as appropriate – proverbial hand-to-hand combat. Yes, buy your security partner an admin account if that’s what it takes. They’ll know what to do from there.
The hopeful good news is that securing your POG in the cloud is getting much easier on users, who are typically the weakest link. The “right way” and the path of least resistance are starting to merge. Most cloud providers support today’s security authorization standards like SAML. So, if you focus on securing the user’s identity absolutely using best practices, then you can reach the holy land of single sign-on (SSO). Once achieved, a user can log into one account one time, and then instantly be authenticated into everything!
Invest time and budget with your cybersecurity partner to protect your Pot o’ Gold and your users’ identities. With One Login to Rule Them All, it is critical to protect them with modern security tools like SASE, SIEM, and MDR, and a smart team running the plan. Ask your cybersecurity partner about the above alphabet soup. They should know what it means and help ensure that you have the right things in place.
You can’t rely upon the Luck of the Irish to protect your POG!
Ron is Chief Cybertechnologist at SIP Oasis, an Alabama managed cybersecurity company. Ron’s passion is getting normal people to learn how to protect themselves from cybercrime, using humor and relatable stories, with zero techno-jargon — “EnterTraining.”