The Cloud provides 100% Cybersecurity - 15 Dangerous Cybersecurity Myths - Day 11

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

Myth Number 11 - The Cloud provides 100% Cybersecurity.

Now, today, as we continue the series, we're going to explore myth number eleven: "The Cloud provides 100% Cybersecurity”. I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe".

Let's explore the thinking behind the myth that the Cloud provides 100% Cybersecurity. Now, when I talk about operating in the cloud, we should think about the public cloud platforms provided by major companies, and the fact that a large number of ‘software as a service’ applications run in the cloud. Small businesses rely on SaaS applications every day and most of those also run in the cloud.   

  • The first point often heard from small businesses is as follows: “Our systems and data are in a cloud environment provided by one of the major public cloud providers, e.g., Amazon Web Services (AWS), Microsoft Azure, Google Cloud; so, we don't have to worry about cyber security. They take care of everything for us”. I often encounter this view even with relatively sophisticated digital companies that have built their systems in the cloud, with one of these major providers. I will explain why the truth is a bit more nuanced than this and that it is a mistake to assume that any third party will take care of your cybersecurity for you. We'll get to that later. 

  • The second view I often hear expressed is: “Even if we had a cyber incident, we'd be back up and running in no time because our systems and data are backed up as a standard service from our cloud provider”. It is true that a lot of the cloud providers do provide backup services and because of the size of these companies and the sophisticated infrastructure that we're talking about, a very professional service can be provided. Having a recent backup available certainly helps recovery in the event of a cyberattack, but as I'll show in a little while, it doesn't provide 100% cybersecurity. 
  • A third point I often hear is: “Cloud platforms provide inbuilt security ‘out-of-the-box’ so I'm getting cybersecurity built-in when I use one of these major cloud platforms and because they have a strong cybersecurity focus, I don't need to worry about cybersecurity.” This view is commonly held by companies who are using these platforms for their IT infrastructure and it’s understandable why this would be the case. 

It’s true that there is inbuilt cybersecurity in major cloud platforms. IT Professionals consider that there are significant advantages available from using a major cloud provider’s platform over having your own 'on-premises' server. However, like most things in life, it is not a 100% solution, and the devil is in the detail.

A Dangerous Myth

So why is believing the myth that the Cloud provides 100% Cybersecurity dangerous, if we've accepted that the cloud can provide good cybersecurity? It's a dangerous myth because it can lead the business to rely entirely on cloud platforms for its cybersecurity and this is ignoring the shared responsibility model, which all cloud providers use.  

Truth Number 11 - cloud platforms operate under a shared responsibility model whereby you share responsibility with the cloud provider  

So, let's look at the truth behind this myth which is that cloud platforms operate under a shared responsibility model whereby you share responsibility with the cloud provider.

  • The first point to acknowledge is that cloud platforms do provide inbuilt security, ‘out-of-the-box’, because of the strong security focus of the companies. However, no company is immune to cyber-attack and no company is immune to operational issues such as downtime. Most major cloud platforms have experienced some form of cybersecurity incident in their history, and a problem in the cloud platform can very easily become a problem for each user of the platform. 
  • The second point is the shared responsibility model operated by all cloud service providers which says, firstly, that the cloud provider is responsible for the security of the cloud. So, they are responsible for the infrastructure that they've created, and making that infrastructure secure is their responsibility. But the model also says, secondly, that the user company is responsible for security in the cloud. This means that you're responsible for any software that you deploy in the cloud, the data that you process, and for the activities of your employees as they interact with the platform.

Of course, all of these risks exist in a non-cloud environment, so it's really no different. You need to have the same controls in place in your company for cloud systems as you do for non-cloud systems. This includes strong passwords, multi-factor authentication, backups, software patching updates, data encryption, and, critically, employee training. Now, as I've said, some of these will be provided ‘out-of-the-box’, but not all of them. So, as a platform user, you have obligations to make sure that all of these are taken care of. 

  • And finally, the other problem that can arise from use of cloud platforms, and often the bigger problem, arises from the poor configuration of the platform by the user. Now, this risk might not be an obvious one, but because of the complexity of these platforms, configuring the platform itself is a complicated task and if it's done incorrectly, and poor configuration results, that can lead to serious cybersecurity problems, for which the user will be responsible. So, if you leave the door open, so to speak, for the cybercriminal to get into the Cloud Platform, that will be your problem, and not the problem of the cloud provider.

So, while it's true to say the cloud platforms offer a lot to small companies, and are generally a very good idea, they are not a 100% solution to cybersecurity. The same controls that apply in the off-cloud world need to be in place for the cloud world.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.