The importance of reducing your attack surface

Over the past week or two, cyber attacks and the issue of security have dominated the news. Now while the average accountancy firm shouldn’t worry too much about being caught up in an Iran-funded cyber war, and isn’t as high profile a target as Travelex, both are a topical reminder of the dangers to financial services firms of being hacked and, in the worst case scenario, experiencing a data breach. Understandably, your vulnerability to cyber attack increases when you migrate to the cloud — and many more accountancy practices, like firms in every other sector, are doing precisely that. After all, while the key benefit of the cloud is instant access to everything you need wherever you happen to be in the world, the downside is that that same data is available to everyone else in the world, should they somehow happen to get in. So how are cloud-based environments vulnerable? Without wanting to get too technical, there are two ways that your company can be hacked in the cloud: An attack on the physical architecture of the specific cloud technology you are using, whether that’s a ‘brute force’ or ‘dictionary’ attack on your passwords (where the hacker uses sophisticated algorithms to try and identify your passwords), a Distributed Denial of Service, or DDoS attack (where the hacker floods your system with superfluous requests in an attempt to overload and crash it), or by simply exposing a specific cloud environment to a virus or piece of malware An attack on the people who have access to your cloud environment through phishing and other ‘social engineering’ tactics centred around exploiting their trust or curiosity, e.g. where one of your employees is called by a hacker pretending to be a senior person in your organisation and asked for their password; where an employee logs into what they believe is your genuine cloud environment but is in fact a criminal duplicate of it; or when one of your employees is sent a file on email with a name that they will find too hard to resist opening (think ‘2020 Company Salary Review’) Now when they switch to a cloud environment, most firms assume that they will be protected by the know-how and security measures of the provider in question. Sadly that’s not always true. Yes, all cloud providers will have a number of security measures that protect their customers’ data, e.g. they will regularly patch and update all employees’ ‘virtual machines’ (the interfaces they log in through) and will often not allow someone to access sensitive data when they are on a free hotspot in Paddington Station; but not all cloud providers will offer the most robust security measures, those that significantly reduce what we cloud engineering geeks call a company’s ‘attack surface’ (the sum total of all its points of vulnerability). One of the most advanced ways that a cloud provider can protect your business, and materially reduce its attack surface, is through the employment of machine learning technology that immediately spots anomalies, or behaviours that don’t fit recognised patterns, the moment they arise. For example, if Jill from audit tries to log in at 2am when she has never done so before, the technology will immediately block her activity as suspicious and require her to pass through a two-factor authentication process to get access. The same would happen if Stephen, from the corporate tax division, tries to log into client files he has never sought access to before, or if Rachel from payroll tries to log in from an IP address that is not recognised. Unfortunately this kind of AI-powered technology is not something that all cloud providers offer, but for me it is one that all accountants should demand. Given that most hackers will target people rather than systems (people, all hackers know, are far more vulnerable and easier to exploit), it provides the best defence possible to reduce your attack surface and keep your and your clients’ data safe. So always ask a cloud provider not just how bullet proof their technology is, but about how they will bullet-proof the activities – and vulnerabilities – of your staff. Because your staff, while being your company’s biggest asset, are also its Achilles’ Heel. Jamie Costello is the co-founder of Paycircle ,the cloud-based payroll platform. Prior to Paycircle, he worked as a senior engineer at Microsoft and was instrumental in the creation of the company’s cloud technology.