Skip to main content

All my files are stored in the Cloud, so I’m not at risk, right?

This is something I hear all the time. It is often thought that ransomware is an on-premises threat only affecting old, unpatched Windows PC’s. And on the whole, this is true. We’ve all heard the stories and read the news, “WannaCry infects 230,000 computers in over 150 countries”. In the UK ransomware brought the NHS to its knees affecting over 34% of trusts in England and caused the cancellation of an estimated 19,000 appointments and operations.
But what people storing files in the Cloud don’t often realize is that they are far from immune. Apps used to share files and images, such as Google Drive, OneDrive, iCloud, and Dropbox etc are now being specifically targeted by sophisticated attacks. Emails appearing as document requests from these apps are amongst the most effective in generating some of the highest click-through rates. Don’t take my word for it, researchers at Proofpoint found that when it comes to attacks looking to steal your login credentials, a quarter is targeting Apple IDs followed by Microsoft Online credentials, with Google Drive a close third.

Source: Proofpoint 2017 Human Factor Report

Sophisticated attackers know their audience and are now disguising malicious attachments in order to increase their success rates. For example, someone who works in finance using Google G Suite will potentially be attacked with fake invoices which when opened will direct the user to a convincing but fake Google G Suite login page. In fact, according to Symantec's 2017 ISTR, fake invoices remains the most popular tactic for convincing users into opening phishing emails and more importantly taking the bait.


Source: Symantec 2017 Internet Security Threat Report (ISTR)

These links can perform a number of different attacks from requesting credentials via fake login page or asking the user to grant an app access to their account. Unfortunately, logging in or granting apps access to data is all too common a task for many Cloud users. Once an attacker has your credential or even worst access to your data via an app, they can do all kinds of nasty stuff, damaging you and your business.

Here are just a few things I have witnessed after an attack.
  • Start encrypting or deleting your data. File emails, contacts, photos, all gone or inaccessible.
  • Send emails to all your contacts and customers, requesting a change to banking details.
  • Resetting the passwords for your other accounts (banking, shopping, social media etc.)

Cybercriminals are now able to use techniques that previously only advanced nation-states have access to. It is becoming incredibly difficult to identify these sophisticated attacks. It is therefore important that such techniques are understood and become a discussion within businesses. So to help here are some key areas which will hopefully drive the conversation.

Plan — Create an information security policy. At this point, you may want to look at investing in an ISO:27001 information security accreditation.

Assets - Identify and document information assets that are at risk. Customer data, internal intellectual property, and corporate brand.

Communicate — Make sure all staff is aware of the techniques and dangers. Create a thorough induction process for all new starters and perform regularly updated training for all staff. Provide a central point of contact for issues and implement an incident response team and communications plan.

Be Proactive — Implement solutions such as multifactor authentication, identity and access management, data loss prevention, data backups, and intrusion detection.

Processes — Perform regular risk assessments, privileged account management audits, third-party risk assessments, patch and update management.

Reporting — Regular reporting to senior management and board. This is probably the most difficult, but it is essential that all aspects of the business from the top down are involved.

Unfortunately, cybercriminals are being more and more sophisticated. So my parting advice to you is to plan for the worst, imagine a scenario where all your files and production systems are compromised, how quickly will you be able to get your business back online, and where will this data come from if all your?

Comments

Popular posts from this blog

GDPR Compliance - The Sky Is Falling

Over the past few months, I've been speaking to more and more business owners about their concerns regarding GDPR (General Data Protection Regulation), which becomes law on 25th May 2018.

The concerns appear to come from misinformation and fake news over GDPR. There are the scaremongers, reporting on the increase fines that an organisation could face. While it's true GDPR has increased the levels of fines to 2% of an organisation’s global turnover, and for more severe incidents €20 million or 4% of turnover, whichever is the larger, it's unlikely that fines will rocket. Elizabeth Denham, the information commissioner for the UK, stated in a recent blog,

it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. Denham continued to say that; "The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We h…

Amazon Echo v Google Home - Family Review

With Christmas just around the corner, my inbox and messenger have started to fill up with messages from friends and family - not to wish me well, but instead to ask me which personal/home assistant device they should purchase.
With both Google and Amazon reducing the price of these devices for Black Friday it seems that everyone is getting on the bandwagon.
Having had both Google Home and Amazon Echo for a while I thought it was about time I came off the fence and give my recommendation, but then I realized that there are hundreds of technical reviews out there already, so instead, I've decided to ask my family which device they prefer and why. 
So here it is, the Lees' family review of both the Google Home (and mini) and Amazon Echo. But before we begin let me quickly introduce the family. My wife, Lianne and I have two kids, Molly who is 15 and Harry 10. We have several Smart TV's, Chromecast devices and even a Chromebit. The house is also full of IoT devices from Phil…

Google release new touch-screen Google Home

Well, that's a headline I long to read. Unfortunately, Google has lagged behind in the personal assistant device game for some time now. In September of this year, Amazon announced a plethora of new Alexa powered devices, which are now hitting stores.

The Echo Show, which enables video calling.The Echo Look, which is intended for fashionistas.The Echo Spot, which is like a really fancy alarm clock.The Amazon Tap,  aka portable Echo.

We all hoped that the Google announcement a few weeks later would bring something exciting and disruptive to steal the thunder from Amazon, but unfortunately, we got a pebble (Google Home Mini), and large square speaker (Google Home Max), and some new colours for the existing air purifier (aka Google Home).
All extremely underwhelming. Sorry Google, but I was expecting video calling, I was expecting Youtube videos, I was hoping to search through my photos, I was at least expecting two-way communication between devices! I'm not saying I don't li…
Related Posts Plugin for WordPress, Blogger...