How to Mitigate Your Risk When Doing Business on the Cloud

By Matt Gilbert, Principal at Baker Tilly US

The cloud service provider market has grown rapidly in recent years and is expected to surpass $150 billion in revenue this year.

Cloud service providers (CSPs), like Deltek, provide cloud-based software, platforms, infrastructure, applications or services. It’s clear that there is massive interest in the cloud from a business perspective. And where businesses are sending their information and spending their money, that’s where hackers tend to direct their attention.

To take advantage of these business benefits, many Deltek customers have moved or are considering moving their infrastructure to the cloud. Similarly, Baker Tilly is hearing from its clients who are intrigued by or concerned about moving to the cloud: How secure is the cloud? Is it compliant? While these are common questions that any business may have, should customers also be wondering about cybersecurity risks – like ransomware attacks – when deciding to move off premise?

For those of you not familiar, ransomware is malicious software that infects a computer system, propagates to network-connected devices and encrypts critical data, rendering it unusable until a ransom is paid to decrypt the files.

These attacks have been in the headlines quite a bit this year – and if you’ve watched the news lately, it’s easy to understand why. The Colonial Pipeline incident has been the highest-profile ransomware attack so far in 2021, but there have been several others that made national news, including JBS Foods and Quanta.

Let’s Begin With the Benefits

As evidenced by their increased popularity, could service providers typically come with a variety of potential benefits, including:

• Cost savings
• Increased functionality
• Better security
• Service coverage
• Improved mobile access
• Enhanced support models
• Compliance frameworks built into the service

Additionally, there are significant benefits that cloud customers receive through simple economies of scale. Your company may not be big enough to have an IT professional dedicated to upgrading software, or securing servers, or even having someone available 24/7, but your cloud service provider likely has specialists in those areas.

However, it is important to understand that CSP's are not risk-free. They too can be susceptible to ransomware attacks, just like company-managed systems. After all, if companies with large security budgets like Apple, Sony and AT&T can be hacked, and if companies like Colonial Pipeline and CWT Global can be attacked by ransomware, then it can happen to anyone. So how can you confirm that your CSP is a safer option than doing it yourself?

Ransomware Attacks On the Cloud

Generally speaking, ransomware attacks prefer to go after the “low-hanging fruit.” In other words, they typically target networks that are less secure. Going after a CSP may be attractive to hackers because of the volume of data involved. But the lines of defense between hackers and completing a successful ransomware attack are often so significant that they prefer to look elsewhere.

Picture a cloud service provider as a mansion that contains expensive jewelry, rare artwork and a large safe. But the mansion also has a steel gate around it, a 24/7 security guard, an array of cameras and an advanced alarm system. Next door is a more typical middle-class home, but the owners of that home leave the door unlocked.

A burglar might dream of breaking into the mansion, but it’s much more likely he’ll go after the unlocked home. CSPs are the mansion with significant precautions in place to keep its valuables safe and secure.

You can also look at it this way. People are much better off keeping their money in a bank than in a shoebox. Banks offer benefits and safety measures that a shoebox simply cannot. But that said, a bank can still get robbed. It isn’t risk-free. And doing business on the cloud is not risk-free either. But it’s generally a smarter, safer strategy for a lot of companies.

How to Mitigate Your Risk

From a customer standpoint, perhaps the most important steps to take before doing business on the cloud are to:

• Understand the significant steps that CSP's, like Deltek, are taking to prevent a ransomware attack and the various ways that they are limiting their risk (and, in essence, your risk)
• Perform due diligence thoroughly on CSP's and on their service providers

When performing your due diligence, don’t assume that you know all the answers. Ask the questions anyway – for your own protection. Then, when you are ready pick a CSP that can commit to delivering innovative technology solutions and protecting your data, by ensuring their capabilities meet the constantly changing security landscape.

For instance, you could consider the following inquiries as part of your due diligence:

• What is your incident response/ransomware plan? Who contacts the authorities, and what is the communication process? How are we notified?
• Related to configuration issues, how do you make sure any of the configurations you are responsible for are properly hardened? Will the CSP support or provide guidance in this area?
• How do your backups work? Are they encrypted and separated? Can you make your own backups? If you can simply recover your data, then you don’t need to pay the ransom. But if the data is also held for ransom, then you have one less option.
• How does the CSP manage vulnerabilities and how are they proactively patched?
• Does your cloud or Software as a Service (SaaS) app leverage another cloud platform (e.g., their application running on top of AWS or Azure)? And if so, how are responsibilities shared? What risks does this create and how are those being addressed?
• What type of insurance coverage do you have? And in the event of a cloud incident, whose insurance – yours or your CSP’s – would be responsible for handling the incident? Could moving to a CSP that is more secure than your on-premise environment decrease your insurance premiums?

By asking targeted questions and getting comprehensive answers, you can make an informed decision that puts you, your information and ultimately your future in the best possible hands.