Companies that use cloud-based productivity apps are responsible for protecting their data against loss due to cyberattacks. Here are five ways to protect your data in the cloud.
Cloud-based productivity suites such as Google G Suite, Microsoft 365 (formerly called Office 365), and Zoho Office Suite are popular among small and midsized businesses (SMBs) — and for good reason. Since the productivity apps are delivered as a service, the service providers bear the burden of purchasing and maintaining the hardware and software used to run the productivity apps.
Contrary to popular belief, though, Software-as-a-Service (SaaS) providers are not solely responsible for securing their public clouds and the data that the SMBs put in them. The SMBs shoulder some of this responsibility. Toward that end, here are five ways you can protect your data if you use cloud-based productivity apps:
Companies that use cloud-based productivity apps and other SaaS offerings often do not realize that they are responsible for backing up their cloud data. The vast majority of SaaS providers explicitly state in their terms and conditions that it is the customer’s responsibility to protect against data loss due to cyberattacks and accidental deletions. SaaS providers only assume responsibility for data loss when it is due to natural disasters, infrastructure breakdowns, and other types of operational failures.
Therefore, if your company uses cloud-based productivity apps, you should put a process in place to back up your cloud data. If you don’t, you risk losing that data.
Companies that use a cloud-based productivity app (or any other type of SaaS offering) are responsible for controlling employees’ access to that program. One effective way to control access is to use multi-factor authentication (aka two-step verification).
With multi-factor authentication, employees must provide two credentials, such as a password and a one-time security code, when logging in. This extra layer of security helps prevent unauthorized access to the app and its associated data. It can also help prevent account hijacking. For example, if a hacker buys an employee’s email account credentials on the dark web and multifactor authentication is not being used, the hacker could use those credentials to take over the email account and use it for malicious purposes (e.g., send malware-laced emails to the employee’s contacts).
Cybercriminals commonly use phishing emails to spread ransomware — a type of malware that encrypts the victim’s data and holds it for ransom. The phishing emails often include an attached file that, if opened, initiates a chain of events that leads to a ransomware infection.
You can help protect against ransomware by blocking the types of files commonly used for ransomware attacks (.cmd, .bat, .job, .vbs, .wsh, .and .exe files, for example). How to do so depends on the cloud-based productivity suite your company is using. For example, in Microsoft 365, you can create mail transport rules to block risky file attachments.
Hackers who gain access to an employee’s mailbox can configure it to automatically forward the employee’s emails to an external account. They do this to steal sensitive data or get the information they need to launch other types of attacks, such as business email compromise (BEC) scams. The auto-forwarding process operates in the background, so the employee will likely be unaware that his or her emails are being sent to an external account.
Unlike most data breaches, this type of data leak is easy to prevent. You just need to configure your cloud-based email app to block any emails being automatically forwarded to external accounts.
Cloud-based productivity suites typically include a calendar app. These programs often have options that let employees share their calendars with people outside the organization. For example, in G-Suite’s Calendar app, user-level sharing options range from letting outsiders see only free/busy information (no event details) to letting outsiders see everything in an employee’s calendar and even make changes in it. Fortunately, G-Suite’s Calendar program allows administrators to control how much calendar information employees can share with outsiders at the organization level.
If your company is using a cloud-based calendar app, it is important to find out the external sharing options that are available to employees and the controls that you can use to limit how much calendar information employees can share with outsiders. Limiting external calendar sharing reduces the risk of data leaks. It also reduces the chance that a cybercriminal could use the information to plan a BEC scam.