Small and midsize businesses (SMBs) are adopting the cloud. It’s no wonder, since according to a recent PC World article, 70 percent of SMBs have already reinvested money saved as a result of moving to cloud services. Yet with reward comes risk and with so many off-premises solutions available, it’s easy to make security missteps. Here’s a quick rundown of the four worst security practices adopted by SMBs to help you sidestep small issues and avoid big problems.
Imperfect Passwords
Passwords remain a sticking point for many companies. As noted by Android Authority, easy-to-guess passwords still top the list in 2015, everything from “123456” to “qwerty” or “football.” Tech Target describes the case of one executive at a government facility using “87654321” as his password. When asked, he said, “it’s such as simple password, nobody would guess I would use it,” and refused to make a change.
While he might be right that individual attackers wouldn’t think to try such a simple password, this isn’t the real threat faced by SMBs. Instead, companies now deal with brute-force attacks looking for the easiest way in — which often means running thousands of passwords per minute to find the right one. Plus, with even small businesses using multiple cloud services, chances are one bad password is “daisy chained” across the entire network, giving hackers unlimited access.
The bottom line? Passwords for cloud access need to be strong, never duplicated and often changed.
Going Unencrypted
According to Porticor, one of the worst security mistakes a company can make is leaving data unencrypted. Often there’s an attitude of “good enough,” especially if SMBs are running a private cloud or believe none of their data will ever leave company networks. However, as noted by a Computer Weekly article from (way back in) 1999, traditional network defenses such as perimeter firewalls have steadily been declining in effectiveness; socially engineered attacks and malicious email attachments are on the rise.
Even companies that choose to encrypt data at rest and on the move sometimes get it wrong by handing over their encryption keys to a third party, often their cloud service provider. The takeaway? If cloud network compromise is your goal, leave data unencrypted and don’t keep tabs on your keys.
Educating End Users
According to Info World, educating end users doesn’t deliver the benefits SMBs really need. Why? Because most IT security programs for the average employee don’t teach anything new and are looked at like necessary evils rather than positive, proactive opportunities. In other words, while it’s tempting to throw money at a haphazard cloud security education program, it won’t pay dividends. Either put the money into a thorough, detailed curriculum or spend elsewhere to beef up cloud security and limit the chance that employees will come in contact with malicious files or emails.
The Similarity Solution
The final security mistake made by many SMBs? Assuming all cloud services are the same. It’s easy to do, since the portability and scalability of these solutions is part of their hype and a huge part of their appeal. However, public, private and hybrid clouds — along with their providers — all come with unique strengths and weaknesses. Trying to shoehorn in the same security practices for each cloud environment creates gaps even mediocre hackers can exploit. To avoid this problem, design for specificity, not similarity.
Want to make cloud security mistakes? It’s easy: Choose bad passwords, don’t bother encrypting your data, haphazardly educate end users and treat all clouds the same. Take a pass on these errors, however, and your defensive posture gets a substantial boost.
Rehan Jalil is the Chief Executive Officer for cloud-security company Elastica. Elastica is a cloud security applications provider. Jalil has given valuable insights on topics such as the Heartbleed Bug, and is a graduate of the Harvard Business School.