The use of Cloud services in businesses is growing every day - file storage, e-mail, account management or customer engagement. With organisations employing external companies to set up and run these applications it is vital to ensure these run with security in mind.
This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.
The tips below will help make sure these services are as secure as they can be.
Securing users’ accounts
With Cloud Services designed to allow access from anywhere, this causes potential security implications. The below tips will drastically reduce the risk of having unwanted access to the service. Information about protecting your data with passwords from the NCSC here.
Tip 1: Use Multi-Factor Authentication
Multifactor authentication (MFA) adds a layer of protection to the sign-in process. When accessing accounts or apps, users are asked to provide additional verification. This may include biometric scan or additional code received by other device. More than one can be applied on more sensitive applications. NCSC guidance on the use of MFA, gives more information on the different options.
Older application may rely on older less secure methods and these applications can be made more secure by using an ‘App Password’. This will allow the addition of MFA when connecting remotely.
Tip 2: Avoid using guessable passwords
NCSC recommend using three random words, making a naturally lengthy password. This can be hardened further using UPPER and lower case, symbols/special characters and numbers.
Tip 3: Use unique passwords for each accounts
To reduce the impact of a compromised password, use a different password for each account to avoid attackers from having access to all linked accounts or applications using that same password.
Further detailed advice on passwords for organisations can be found on the NCSC website here.
Protecting you most sensitive accounts
Accounts for different services have different levels of security. Administrator accounts have wide access and should be the most securely protected by employing the highest standard of security.
Tip 4: Limit the use of administrative accounts
The impact of a compromised admin account could be the same as breaching all accounts allowing access to all users. Admin accounts should only be used for administrative tasks, once complete, they should be logged off. Remove assigned accounts when employees leave.
Tip 5: Keeping recovery information to administrative accounts up to date
Recovering a lost password for an administrator account is usually done through the Cloud Service provider. By ensuring all recovery information is completed and updated regularly this will reduce potential security vulnerabilities.
Tip 6: Protect the account used to manage your custom domain name
When using custom domain names for email and website follow Tips 1-4 above to protect the admin account and limit access.
Defending your online accounts from malware
Certain malware can be used to steal passwords to online services. This risk can be reduced by only using trusted devices to access your businesses Cloud Services.
Tip 7: Keep your devices healthy
Ensure that all devices used to connect to the Cloud Service are updated.
For all IT devices any new updates/patches should be installed as soon as possible. This will improve security and limit the possibility of zero day attacks. Most updates can be automatically done by simply enabling this setting.
Anti-virus should be used on all devices and consider the level of protection required and meets your security requirements. More information on protecting from malware can be found here.
Tip 8: Using a VPN (Virtual Private Network) for remote connections
If your business requires remote access to any data within your business infrastructure, then using a VPN is essential. A VPN can be used to encrypt traffic and secure end to end communication.
Use the security features built into the service
Cloud Service providers have security features implemented to help avoid cyber-attacks. These features are not automatically enabled and it is crucial to check these settings with your provider.
Tip 9: Prefer the apps provided by the cloud provider
Using third-party applications may require adjustments to any security configurations. Check legacy modes are disabled for protocols such as POP3 and IMAP. Using applications developed by the Cloud Service provider, designed with security in mind is recommended.
Tip 10: Back up data that is critical to your business
Cloud Service providers backups allow for a level of recovery after attacks. Some will even store deleted files for a period. Using these backups can reduce the impact of a ransomware attack. These recovery systems should not be relied upon as they may not always be available. To help mitigate this, use an internal backup system for crucial data which can be stored off line.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to email@example.com. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).