Preventing Unathorized Data Access in the Cloud
When clients trust their CPAs with financial data, it’s the CPAs’ responsibility to ensure they do everything possible to protect against breaches that could compromise personal, sensitive and confidential information. However, with the COVID-19 pandemic causing a substantial increase in remote work, people may unintentionally be letting their guards down when it comes to cloud computing.
According to ZDNet and cybersecurity firm Kaspersky, cyberattacks using remote desktop protocols (RDP) grew400 percent in March and April 2020 alone. Furthermore, phishing attacks are now more prevalent and sophisticated than they were a year ago.
RDP attackers use credentials to penetrate a system. This, combined with employee negligence and misuse of employee credentials, are some of the biggest threats to cloud security. With remote employees free to log in to cloud solutions from home computers and mobile devices, it’s more important than ever to consider what additional processes are needed to secure sensitive data against unauthorized access and theft.
Companies must consider not just what sort of data is stored on the cloud, but also who is authorized to access, alter and share it. They must also consider which devices can be used to download and edit this data. These are also critical issues to consider when choosing an outsourced provider. For example, if a company outsources its payroll services, what assurances are put in place to prevent hackers from accessing and compromising social security numbers and private financial information stored on the cloud?
It is important to remember that while cloud computing is a great way to manage costs by reducing the need to manage on-premise, in-house network solutions, there are security concerns to consider prior to signing a contract with a cloud solutions provider. Here are some ways a company can perform its own due diligence:
- Review the provider’s System and Organization Controls (SOC) reports, which reveal all the security compliance processes a cloud solution provider has in place.
- Inquire about the provider’s malware detection and encryption capabilities, including data monitoring, file scanning and network traffic analysis.
- Examine the sufficiency of the different types of backups a provider may offer to prevent data loss, including assessing where they are stored and how often they occur.
While no system is 100-percent secure, a company can take action to keep its data as secure as possible. For example, a company can, and should, set virtual limits as to what employees can do inside a cloud environment. This process entails classifying and controlling data for privileged access, ensuring only certain authorized users or even certain devices can view or alter specific files and applications on the cloud.
Next, everyone needs to understand their role in data security. For example requiring multifactor authentication is the easiest and possibly most crucial step in protecting a company’s data. This is often accomplished by approving employee access via secret questions, personal identification numbers, emailing or texting codes to separate mobile devices or platforms, or continuously changing codes to company-provided fobs. Therefore, if someone were to steal an employee’s credentials or even their mobile device in an attempt to access client information, the employee could prevent them from doing so after receiving an alert for the attempted login.
Lastly, follow these commonly overlooked security suggestions for preventing unauthorized data access:
- Mandate employees change and choose more complex passwords on a regular basis, taking care not to use personal identifiers such as names of family members or pets, addresses, birthdays and more. Passwords should also never be saved to personal computers or mobile devices.
- Instruct employees to avoid public WiFi and internet hot spots when accessing cloud data. Companies may also want to invest in more robust remote capabilities and networks for their remote employees.
- Provide anti-virus and anti-malware software for employees or, better yet, provide designated mobile devices for remote employees.
Cloud computing is undoubtedly beneficial to an increasingly remote workforce, but it is important to stay informed about how to secure data. When in doubt, reference the security guidelines recommended by Cloud Security Alliance (cloudsecurityalliance.org), a global nonprofit dedicated to defining and raising awareness of best practices that ensure more secure cloud computing environments.
Sherryll Penney is a manager at MSPC Certified Public Accountants & Advisors, PC.
This article appeared in the Spring 2021 issue of New Jersey CPA magazine. Read the full issue.