By Brad Atkin, CPA, CISA, CITP – Shareholder, IT Advisory and Security Group – Doeren Mayhew

Business productivity and efficiency has quickly become revolutionized by the robust and flexible environment offered by the cloud.  As the “cloud” becomes a household name, it is important to understand not only the business strategies, technologies and architectures represented, but also the risks and defenses.

In general terms, the cloud is a movement from owned resources to shared resources in which users receive information technology services on demand from a third-party provider. End users are being migrated to cloud applications as default software in their hardware devices, while enterprise cloud applications are being used as storage solutions to host, manage and share data. Reality is, cloud-based services hold a significant foothold on the market now and don’t seem to be going anywhere soon. And, it’s no surprise credit unions want in on the action. With the ability to free up internal resources, credit unions are becoming increasingly dependent on the trend of adopting cloud-based applications and services.

The problem is, every technology is susceptible to misuse and mistreatment. Cloud-based applications are no exception. By nature, these applications involve a significant amount of shared resources. Like most security incidents, the nefarious actions on an application your credit union is using could potentially result in financial losses, compliance related problems and fines, and significant reputation risks to the credit union. If your credit union is using cloud-based applications, it needs to have enterprise-wide approaches in place to identify the flow of information, mitigate potential risk and have action plans in place to remediate weak spots.

The Current Threat Landscape

Major cloud-based applications across the nation are exposing businesses to security breaches and malware. For example, Amazon Web Service, a cloud-based storage application, has had configuration errors leading to data exposure and security breaches. Storage drives, like Dropbox, have also recently been used to distribute malware across organizations. And, phishing attacks have recently been used to steal credentials on Google Drive. Due to the design and continued vulnerabilities being exploited more and more, it is inevitable applications, regardless of their popularity, eventually will become victims of cybercrimes, if they haven’t already.

These threats are real. Internal audit and management teams must understand them to protect the credit union and its members. Understanding the risks related to the cloud starts with an understanding of the flow of data. Develop a full understanding of the channels data flows through between users and cloud applications, especially those outside of the network. Do you know how the large amounts of confidential data is flowing in and out of the cloud applications? You should! Knowing this will help minimize the overall risk exposure and determining how to defend against attacks in an industry where confidentiality and compliance is key.

The Three Main Culprits

The three main culprits threatening the security of your credit union’s data held in the cloud are employee mistakes, malicious insiders and hackers.

1. Employee Mistakes – Employees continue to be the weakest link in cybersecurity across the board. In the cloud arena, this can include sharing a URL to a confidential document or not specifying the proper access controls, which may lead to broad access or documents being shared beyond intended users. The functionalities of cloud-based applications may be harder to control, therefore the risks need to be identified in order to properly control access.

2. Malicious Insiders – More often than not, malicious insiders tend to be disgruntled employees. Insiders can use their access privileges and position to circumvent your controls. This can include deleting or sharing of confidential files, abusing access through printing and taking screen shots, and changing access for other employees.

3. Hackers – Targeting both cloud-based applications and individual users, hackers use malware and phishing scams as common ways to indirectly gain access to cloud-based applications through unsuspecting employees. Once the account is accessed, the data can be stolen. Some cloud-based applications already have known vulnerabilities, making them susceptible to hackers. Fully understanding the application and its risk by performing due diligence before just choosing a more economically friendly provider is important.

The Defenses: What Can Be Done

Here are some things your credit union can do to prevent falling victim to cybercrimes when dealing with cloud-based applications:

Consider Overall Risk Fundamentals – Financial Institutions using outsourced cloud computing have to consider the fundamentals of risk and its management defined by the FFIEC Information Technology Examination Handbook (IT Handbook), especially the Outsourcing Technology Services Booklet. Reviews these to ensure your following these guidelines.

Proper Due Diligence – Your board of directors and management are responsible for ensuring cloud activity is conducted in a safe and sound manner, while remaining in compliance with applicable laws and regulations. Make sure they have addressed data classification, segregation and recoverability. Also, determine the adequacy of the provider’s internal controls.

Business Continuity Concerns – Address business continuity and the recovery, resumption and maintenance of the entire credit union. Determine if the servicer and network carriers have adequate plans and resources to ensure continuity and recoverability.

Understand the Network – Discover the types of cloud-based applications used, how users interact with them and the risk posed to the credit union. This is especially critical in an environment when employees can connect to their own devices.

Enforce Your Policies – Actively block the threats before they are distributed. Administrators need to enforce policies to detect malware and keep data confidential.

Scan All Files for Confidential Data – There are services available that can scan files for confidential data (PII, PCI, HIPPA, etc.) during the upload to reduce the risk of attempts to steal data. Security applications also ensure these files are not shared too broadly and protects the confidential data from users without rights.

Scan All Files for Malicious Content – All files coming in and out of the cloud need to be scanned for viruses and malware. Active threat detection will reduce the risk of malicious files going in or out of the cloud, and reduces malicious files being spread to a significant amount of users. Look for a security service that integrates with the cloud.

Have a Strong Security Position – The cloud application must be subject to vulnerability assessments, configuration reviews and penetration tests. If housed outside of your organization, ensure this is being done through the vendor due diligence process. The constant change in the threat landscape should be continually evaluated.

For more information on how you can protect your credit union from cloud-based application vulnerabilities, contact Doeren Mayhew’s cybersecurity advisors today.