Cloud Security Basics for Small Businesses
At last count, nearly half of all small businesses used cloud-based hosting and infrastructure services. SMBs are doing so because it allows them to use enterprise-grade technology at affordable prices. However, many small business owners and decision-makers don't fully appreciate the level of risk that comes with their cloud footprint. And that's a blind spot that can have significant bottom-line consequences.
Small businesses that use cloud services have around a one in three chance of suffering a data breach within each calendar year. That should be enough to set off alarm bells for any small business, as these incidents can result in financial loss, data theft, and severe reputational harm.
Fortunately, there are plenty of ways for small businesses to avoid becoming a statistic. Here are some best practices and security strategies to help lower the risk of suffering a cloud data breach. Together, they should allow the average small business to use their cloud tools and infrastructure without becoming a victim.
How Can I Protect Cloud Storage?
One of the most important things a small business can do to stay safe in the cloud is to harden any and all of its cloud data storage accounts. The primary way to do this is by enabling encryption through the management interface of every cloud service. Many providers offer data storage encryption by default, but not all of them. So, reviewing each provider's encryption policy and settings is essential. When in doubt, it's a good idea to set all encryption settings for maximum security, even if it doesn't seem necessary.
It's also a good idea to use cloud data storage providers that only allow encrypted connections for all data transfer functions. This keeps business data safe during transport and prevents things like man-in-the-middle attacks. This is another feature that most commercial cloud storage providers offer, and it should be used by everyone storing data in the cloud, even if it's not particularly sensitive.
The following are some encryption options major cloud storage providers provide.
Dropbox encrypts all stored files at rest using 256-bit Advanced Encryption Standard (AES). They also enforce SSL/TLS connections for all data transfer activities, using 128-bit or higher AES encryption.
All files transferred to and from Google Drive are encrypted using 256-bit AES encryption. All stored data enjoys the same encryption. Google Drive also allows optional client-side encryption via its Workspace interface for an additional layer of protection.
Microsoft OneDrive encrypts all data at rest and in transit using 256-bit AES encryption. It also recommends enabling client-side encryption on any iOS or Android devices that access the platform.
Amazon S3 Storage
As of January 2023, all data uploaded to the Amazon S3 platform gets automatically Amazon S3 managed keys (SSE-S3), which end users may manage via their account console. However, preexisting data does not inherit that protection and must be configured manually. Users may protect in-transit data using SSL/TLS connections.
How Can I Manage Credentials and Access Rights?
Next, small businesses should design their data access policies using the principle of least privilege (POLP). This dictates that users only get access to the minimum amount of data necessary to perform their specific job. Small businesses should also create a privilege review process to reassess access rights for all users at least once per year.
It's also advisable for small businesses to choose a single-sign-on (SSO) provider to centralize user access credentials. SSO platforms make it easy for users and administrators by brokering access to multiple cloud services and platforms using a single set of credentials. This cuts down on the number of passwords users must remember and prevents zombie accounts that go unnoticed by administrators.
How Can I Secure On-Site and Cloud VoIP Services?
Although they don't get as much attention regarding cybersecurity, small businesses should also take steps to secure any on-site or cloud-based VoIP services they use. This is because an attacker who gains access to a VoIP system could use it to harvest user credentials or otherwise support phishing and social engineering attacks.
For small businesses using the popular Asterisk open-source PBX software, there are a few simple security steps to take. First and foremost, Asterisk servers should remain behind a business-class firewall with only required ports open to the internet. It's also a good idea to restrict extension access to only known internal subnets, disable unused channels, and enforce complex passwords for all extensions and accounts.
For cloud-based business VoIP providers, the same logic applies. Most providers already have strict password complexity rules and may offer two-factor authentication options. Some may even integrate with an SSO platform. And most credible VoIP providers also use encryption for all connections to and from their systems, whether through an app or a desk phone.
How Can I Secure Remote and Hybrid Workers?
Small businesses must also safeguard the data and communications of their remote and hybrid workers. The most basic way to do this is to deploy a VPN to encrypt remote workers' connections from wherever they are. There are a variety of commercial VPN providers that work well for small business users. However, small businesses can just as easily roll their VPN solution to minimize costs.
Additionally, small businesses should consider using a desktop as a service (DaaS) solution to give remote workers access to business desktop apps and services. Doing so removes the need for business data to leave a business-controlled environment. It also makes enforcing access rules and minimum security policies easier, which can become challenging when remote users connect with their own hardware.
How Can I Manage Bring Your Own Device (BYOD) Policies?
Small businesses must also develop smart bring-your-own-device (BYOD) policies regarding remote workers using their own hardware. These should include minimum hardware and OS version standards to ensure employees aren't risking company data on devices with serious security flaws. They should also consider embracing a mobile device management (MDM) solution if they have more than a few devices to support.
MDM solutions allow small businesses to set security policies on any enrolled end-user device. This could, for example, force-disable a smartphone's camera and microphone while the user accesses sensitive data. They can also enforce device password and encryption standards, restrict Wi-Fi network access, and even use geofencing to enable or disable business data access based on location.
For businesses with too few user devices to warrant an MDM solution, endpoint security software is a must. This can at least guarantee that user-owned devices aren't infected with malware or anything else that could threaten the small business's cybersecurity.
What Penetration Testing Options Are Available to My Business?
Lastly, small businesses should familiarize themselves with a few penetration testing options to test their security measures. A variety of open-source vulnerability scanners work well for this purpose. Plus, there are free and open-source options like Metasploit that small businesses can customize to suit their needs.
It's a good idea for small businesses to scan all their cloud assets for vulnerabilities at least once per quarter using their penetration testing tools. They should also perform a complete penetration testing sweep every year to look for inadvertent security holes that may be present.
They should also use cloud discovery technology to account for cloud services completely. This is critical because cloud infrastructure sprawl could leave small businesses vulnerable to an attack on platforms they don't even know employees use.
Final Thoughts on Improving SMB Cloud Security
The bottom line is that small businesses have plenty to gain from using cloud services and platforms. However, they often have far more to lose than they realize. Fortunately, following the security procedures and advice above should reduce their odds of suffering a cloud-related cyberattack—or at least one that succeeds. But every moment that passes before a small business gets on top of its cloud security needs invites unfathomable danger, so they shouldn't delay making these efforts any more than necessary.