When midsize and medium businesses start moving their on-premise applications to the cloud, they often start with enterprise resource planning (ERP). This makes sense because ERP essentially manages the core of business activity—financial assets. But what doesn’t make sense is using the same security model for the cloud that was used for on-premise applications. Doing so leaves your essential systems exposed to risk of fraud or data loss.
With cloud, finance workflows are no longer contained within company-owned, centrally controlled systems. They are being pushed out into a complex ecosystem of applications, services, and infrastructure that belong to cloud service providers. At the same time, the ecosystem is sending critical data back into core business applications. Both incoming and outgoing data are essential for running competitive, data-driven operations.
Protecting these critical flows requires different models and tools that are designed for a cloud-based business environment and not just protection within four walls. Let’s take a closer look at this need based on findings from the Oracle and KPMG Cloud Threat Report 2019.
In 2019, 71 percent of responding businesses reported that a majority of their data hosted in the public cloud is sensitive — a 42 percent increase from the prior year. Just the fact that businesses are putting more sensitive data in the cloud increases risk, but at the same time, criminals are becoming more sophisticated at targeting cloud-based systems.
For example, email phishing is the most frequent type of attack occurring in the past 24 months, according to the Oracle and KPMG Cloud Threat Report. Hackers are targeting business workflows with seemingly legitimate emails from known cloud application providers, such as SAP, Workday, Microsoft, and others. The emails usually resemble legitimate vendor emails and prompt recipients to click on a link to make a minor but critical change to their profile. The action can take them to a well-crafted website that requires username and password, and sometimes after those have been captured, the scheme redirects the person to an actual legitimate page to further mask the subterfuge. The criminal now has access to the application.
Criminals also use this method to gain access to cloud infrastructure-management consoles, provision new services such as compute instances, and begin to move laterally across the organization’s cloud infrastructure, taking control. A third type of offense targets the supply chain with payment fraud. Spoofed emails fool the victim into making a payment based on directions from an executive or vendor.
You can lower the risk of financial loss from phishing with these best practices:
Another example of growing criminal sophistication is ransomware, where the hacker takes control of an organization’s systems and demands a ransom paid via digital currency to unlock them. These criminals are starting to use new methods, such as botnets, to infect and propagate the ransom malware throughout the business; they are also starting to sell seized data on the dark web.
One of the most interesting results is the fact that increased media attention on ransomware attacks is driving increased corporate spending up to hundreds of thousands or more on cyber-insurance programs. This has allowed the insurance industry to capture another line of business from their customers.
These are just two of many types of cybercrimes that businesses need to protect themselves from, so strengthening systems as new threats emerge can be an overwhelming responsibility—especially for midsize and medium companies that often have more limited resources than large enterprises.
Penetration testing and more-frequent patching are cited most often as having a positive income on security, according to the Oracle and KPMG Cloud Threat Report survey. However, legitimate operational concerns can cause delays in patching, including a reluctance to reboot systems.
Increasingly, businesses are turning to automation for help. Research for the Oracle and KPMG Cloud Threat Report found that 43 percent of companies have implemented automated patch management and 46 percent plan to do so in the next 12 to 24 months. The degree to which a company adopts patching automation will be unique depending upon circumstances, but for critical systems this could include application servers, database servers, web application servers, and load balancers.
In my next blog, I’ll dive deeper into automation and other ways that Oracle technology provides security tools at every level of the technology stack.