Expert Advice for Medium and Midsize Businesses

Don’t Rely on Old Processes to Secure Cloud Systems

Greg Jensen
Sr Principal Director - Security - Cloud Business Group

When midsize and medium businesses start moving their on-premise applications to the cloud, they often start with enterprise resource planning (ERP). This makes sense because ERP essentially manages the core of business activity—financial assets. But what doesn’t make sense is using the same security model for the cloud that was used for on-premise applications. Doing so leaves your essential systems exposed to risk of fraud or data loss.

With cloud, finance workflows are no longer contained within company-owned, centrally controlled systems. They are being pushed out into a complex ecosystem of applications, services, and infrastructure that belong to cloud service providers. At the same time, the ecosystem is sending critical data back into core business applications. Both incoming and outgoing data are essential for running competitive, data-driven operations.

Protecting these critical flows requires different models and tools that are designed for a cloud-based business environment and not just protection within four walls. Let’s take a closer look at this need based on findings from the Oracle and KPMG Cloud Threat Report 2019.

Cyber Criminals Are Using More Sophisticated Tactics

In 2019, 71 percent of responding businesses reported that a majority of their data hosted in the public cloud is sensitive — a 42 percent increase from the prior year. Just the fact that businesses are putting more sensitive data in the cloud increases risk, but at the same time, criminals are becoming more sophisticated at targeting cloud-based systems.

For example, email phishing is the most frequent type of attack occurring in the past 24 months, according to the Oracle and KPMG Cloud Threat Report. Hackers are targeting business workflows with seemingly legitimate emails from known cloud application providers, such as SAP, Workday, Microsoft, and others. The emails usually resemble legitimate vendor emails and prompt recipients to click on a link to make a minor but critical change to their profile. The action can take them to a well-crafted website that requires username and password, and sometimes after those have been captured, the scheme redirects the person to an actual legitimate page to further mask the subterfuge. The criminal now has access to the application.

Criminals also use this method to gain access to cloud infrastructure-management consoles, provision new services such as compute instances, and begin to move laterally across the organization’s cloud infrastructure, taking control. A third type of offense targets the supply chain with payment fraud. Spoofed emails fool the victim into making a payment based on directions from an executive or vendor. 

You can lower the risk of financial loss from phishing with these best practices:

  • Conduct ongoing training that teaches people how to recognize all forms of business email compromises.
  • Use email security solutions that inspect email content, inclusive of text, links, and attachments.
  • Conduct simulated phishing attacks to test the effectiveness of training. Identify weaknesses, adjust the training plan, and benchmark progress over time.
  • Update endpoint security software to the latest release to detect and prevent attempts to gain a foothold into your systems via a phishing attack.
  • The most important step is using advanced identity and access management controls, including multi-factor identification and behavior analytics to identify abnormal actions by employees.

Another example of growing criminal sophistication is ransomware, where the hacker takes control of an organization’s systems and demands a ransom paid via digital currency to unlock them. These criminals are starting to use new methods, such as botnets, to infect and propagate the ransom malware throughout the business; they are also starting to sell seized data on the dark web.

One of the most interesting results is the fact that increased media attention on ransomware attacks is driving increased corporate spending up to hundreds of thousands or more on cyber-insurance programs. This has allowed the insurance industry to capture another line of business from their customers.  

Automation Helps Companies Keep Pace with Criminals

These are just two of many types of cybercrimes that businesses need to protect themselves from, so strengthening systems as new threats emerge can be an overwhelming responsibility—especially for midsize and medium companies that often have more limited resources than large enterprises.

Penetration testing and more-frequent patching are cited most often as having a positive income on security, according to the Oracle and KPMG Cloud Threat Report survey. However, legitimate operational concerns can cause delays in patching, including a reluctance to reboot systems.

Increasingly, businesses are turning to automation for help. Research for the Oracle and KPMG Cloud Threat Report found that 43 percent of companies have implemented automated patch management and 46 percent plan to do so in the next 12 to 24 months. The degree to which a company adopts patching automation will be unique depending upon circumstances, but for critical systems this could include application servers, database servers, web application servers, and load balancers.

In my next blog, I’ll dive deeper into automation and other ways that Oracle technology provides security tools at every level of the technology stack.

Learn more about Oracle Cloud Security.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.