Critical to have strategic cloud security system

0

KPMG highlighted the need for security teams to move beyond traditional approaches to effectively manage security and protect vital business assets in today’s new reality and threat landscape.

Alvin Gan

KUCHING: Rapid adoption of the cloud during Covid-19 spotlights the critical need for strategic vision, KPMG in Malaysia advises.

With continued lockdowns and restricted movements around the world, businesses took to the cloud to foster remote working environments, continue reaching their customers online and to protect their data.

The remarkable acceleration of cloud services adoption during the pandemic isn’t a temporary trend, and it is vital to ensure that these services are governed and monitored by corporate IT, risk and cyber security professionals who understand today’s emerging threats and regulatory requirements.

KPMG’s latest report, ‘Securing the cloud’, details the need for security teams to move beyond traditional approaches to effectively manage security and protect vital business assets in today’s new reality and threat landscape.

“Cloud investment was considered the third most important technology investment during the onset of Covid-19,” KPMG in Malaysia’s IT-enabled Transformation head Alvin Gan cautioned.

“But in the rush to shift online, businesses may have taken an ‘act now, ask questions later’ approach to their digital transformation and cloud implementation.

“This could mean some sizeable gaps in their cloud security, leaving them vulnerable to new forms of cyberattacks.

“In fact, our 2020 KPMG/Harvey Nash CIO Survey revealed that four in 10 IT leaders reported their company having experienced an increase in cyber-attacks last year.

“Unless they begin enacting crucial steps to better govern their cloud security solutions, an attack on their system becomes a matter of ‘when’, not ‘if’.”

Holding the threat landscape at bay requires security teams to move well beyond manual asset management and configuration, access reviews and incident playbooks.

The following are some key lessons and insights that can provide companies with practical steps to effectively govern cloud security solutions.

A ‘shadow cloud’ concerns the use of cloud infrastructure, services and applications outside the boundaries of an organization’s corporate IT policies. These solutions will usually result in an increased risk of exposure for corporate data, personally identifiable information and intellectual property.

Organisations should enact efficient oversight and governance of cloud technology to discourage staff and stakeholders from deploying shadow cloud solutions and this includes addressing shadow cloud issues in policies and employee standards, or blocking access to unauthorised cloud-based applications.

While cloud-based email offers much needed flexibility to businesses enduring today’s disruptive pandemic, the convenience can also unknowingly grant access to crafty hackers at anywhere, anytime. This has given rise to large-scale business email compromise (BEC) attacks.

Common cloud-based email services often come with a suite of authentication and monitoring capabilities as add-ons, which should be carefully maintained to effectively detect malicious activity.

Security teams are often reassured by the range of security monitoring tools offered as standard by cloud service providers. This could result in a false sense of security as incident response procedures look and feel different in the cloud.

Thus, security teams must not be complacent and should ensure they adapt their incident response procedure to be effective in the cloud.

“Maintaining customer trust in such a volatile situation is more challenging than ever before,” Gan concluded.

“Companies should move boldly and strategically to better safeguard their enterprise assets and customer data, ensuring they have the right systems and controls in place to protect their business, their customers, and avoid a cyber security breach which can result in reputational and financial damage.”