More and more SMEs are migrating to the cloud. This is no reason to let our guard down.
Contrary to what many entrepreneurs believe, the cloud is not a more secure computing environment than others. It is, at most, the equivalent of a server located outside the company walls, in a data center somewhere in the world.
For many small and medium-sized businesses, cloud computing is advantageous, in particular because it allows capacity to be doubled as needed and quickly, without spending a fortune on hardware.
“Entrepreneurs think Microsoft, Amazon or Apple is safe. However, you have to apply the same security mechanisms as if your data were saved in servers located in the company’s offices, ”says Guillaume Caron, President and CEO of VARS, cybersecurity division of Raymond Chabot Grant Thornton.
No less vulnerable
IT giants and web hosts are not immune to disasters and outages, as the one that crippled Facebook all day in early October showed. And they are constantly the target of cyber attacks, as they now occupy a central place in the supply chain.
“For example, SMEs will use cybersecurity services to protect data, systems and applications located in the cloud,” continues Mr. Caron. They must ensure, among other things, that these systems are updated and that good security practices are applied by implementing the appropriate controls. ”
Having good practices in a cloud computing environment remains a priority. Because even in the cloud, SMEs have a responsibility to protect the confidentiality of sensitive data. Not the Amazon of this world.
We must therefore protect ourselves against phishing attacks or intrusions that will lead to ransom demands with the usual techniques, that is to say by technologies and surveillance services adapted to the needs of the company.
Choose the right web host
There are different types of clouds in the sky … as well as in computers!
Choosing a web host depends on several factors, but the most important are:
- the size of your business and the IT resources you have;
- the nature of your data;
- laws and regulations specific to your industry.
If your SME is very small and consumer services such as DropBox, iCloud, Google Drive or One Drive are sufficient to meet your needs, questions still arise. Because no one reads their contracts and what relates to your data if it is hosted outside the country (which is usually the case).
However, if this data is sensitive, that can be a game-changer, especially if you keep confidential information: customer, supplier, employee contact details; medical records; payment information …
“Are your clients from Quebec, Canada or Europe? Depending on the case, is your responsibility defined by the new Quebec law on the protection of personal information, the federal equivalent or by the General Data Protection Regulation [RGPD] European?” asks François Daigle, vice-president, professional services at OKIOK.
You can also choose a conventional host, such as Web Hosting Canada, Rapidenet, Astral Internet or even Amazon, Oracle or Microsoft Azure.
“You then have to confirm if it is certified according to certain safety standards (such as SOC 2 Type 2),” continues Daigle. And a certificate is not enough: you have to ask for a compliance report and have it checked by an IT security specialist, in order to ensure that this compliance specifically matches your company’s needs. ” We are talking about a few hundred dollars well invested.
In Quebec?
Most hosting providers are able to guarantee that your data is housed in a server center located in Quebec or Canada.
This matters, because the compliance of certain industries requires that the data be closely supervised. Certain rules even impose their conservation on Canadian or Quebec soil. A fortiori, many countries are lax when it comes to data protection or the security of installations.
PROCESS OF A RANSOM ATTACK
- There is a ransom attack every 14 seconds in the world.
- Usually, this is the last step in the attack chain, as hackers may have broken into company systems three to six months ago.
- They are introduced in stages, neither seen nor known:
- escalate privileges (giving access rights normally vested in legitimate administrators) to gradually gain control
- disable security systems, such as antivirus
- encrypt data and backup copies
- neutralize backup systems
- control email systems
- steal data or intellectual property
- band-infect customer or supplier systems, etc.