Cloud Security, Part I: Employee Risk

Cloud Security, Part I: Employee Risk

While the COVID-19 pandemic closed down much of society and work environments, one area that was blown wide open was security—in particular, cloud security. In this two-part series, we will examine risks to (and solutions for) businesses. This first part covers employee risk; because it can be the largest and most sensitive topic related to cloud security.

Malware delivery continues to shift into the cloud, with 61% of all malware delivered via a cloud app.

  1. 36% of phishing campaigns target cloud app passwords and 13% of campaigns use phishing methods hosted in the cloud.
  2. Malicious Office documents increased by 58% in 2020 and now comprise 27% of all malware downloads, using cloud app delivery to avoid email and web security.
  3. 83% of users in the enterprise use personal apps, increasing the risk of unintentional or unapproved data movement. —Skopje
  4. Malware delivered over cloud apps increased from 48% to 61% in 2020.
  5. Bots like Emotet are back, with more malware attacks on Word Docs and other Office documents than ever before. This is why it is critical to work with an IT firm with years of security, malware prevention, and protection expertise.

There is a multitude of issues in cloud computing that companies experience. Here are some of the top ones we’ve seen:

Unauthorized Access

What makes cloud computing so convenient is also its biggest weakness: outside access from the public internet to your secured network. When there are weak (or no) password and security protocols in place for employees, you can be vulnerable to an attack. Weak passwords are a common entry point.

Companies tend to assume that their IT and tech people can do everything because they “are really good with computers.” No one tech person knows everything — despite what TV shows about the FBI would have you think. It takes a team to secure a network. A misconfigured server can be a serious issue. Inexperienced IT personnel on your team may not be aware of all the settings and tricks full-time security professionals know.

Security Protocols

We briefly touched on this in the last section. It is astonishing how many people use the same password for every app and website. One person’s laziness exposes your network to attackers, especially because the people who reuse one password, are also the ones with the weakest passwords.

Have a talk with an experienced security professional who can help craft solid security and password protocols for your company. They can even install software that makes passwords a non-issue. Remember: Your data is worth more than one person’s convenience.

Your Company Policies

Yes, your company policies can be part of the problem. For example, say your company has set an arbitrary limit of 5MB on email attachments in the belief that large attachments are dangerous. Most malware attachments are actually tiny, sometimes only a few kilobytes, so that rule won’t help there. Your marketing department, for example, will routinely need to send and receive attachments well in excess of 5MB.

What a rule like that will do is equally bad. You will end up creating a “black market” of employees trying to skirt around the rules by using cloud services outside the company’s secure network. Can’t send email attachments over 5MB? Fine, we’ll share files in DropBox. Won’t buy us Adobe Creative Cloud? Fine, we’ll use some free online services like Pixlr. Nothing is necessarily wrong with these workarounds, but they are not approved or vetted by IT.

HR giant SHRM compiled a list of facts about employee internet use during work hours.

Here are a few of the more surprising statistics:

  • 30–40% of employee Internet usage is non-work-related (IDC Research)
  • Workplace Internet misuse costs U.S. businesses $63 billion in lost productivity annually (Websense Inc.)
  • Charles Schwab says 92% of its customers buy or sell mutual funds online during work hours.

See the problems? This doesn’t mean all internet misuse at work results from company IT policy, but a lot of it can be pointed to two issues that we will cover in Part Two of this series: BYOD and remote working. These two related issues have caused headaches for IT departments for years.

Need to partner with a reliable IT firm that knows cloud security like the backs of their hands? Look no further.

About the Author:

Red Level
Red Level is a managed IT services firm in Metro Detroit that helps clients accelerate growth, increase productivity, strengthen security, reduce costs and enable scalability.