Craig McDonald 05 September 2019 14:30:33 AEST 8 MIN READ

Do you know who is accessing your company data right now?

It might be your CFO, reviewing transactions for the monthly executive payroll.  

It might be your part-time HR intern, helping to organise a training session and accessing employees’ calendars in a public library. Or it might be the external marketing agency your CMO just hired, accessing your company’s social media platforms to post a new campaign. 

Or it could be a cybercriminal who has illegally gained access to your network using login credentials stolen from the heating company that you employ.  

That’s actually what happened to Target in 2013, when it was discovered that confidential data of up to 110 million customers had been compromised via an air conditioning company Target had hired to ventilate its offices. 

My point is – today, your data can be accessed from anywhere.  

The ready availability of cheap data storage & cloud sharing platforms has led to the widespread distribution of data. A company could have terabytes of random files squirrelled away in server farms or cloud storage facilities.  

But that means securing that data becomes harder too. It’s become tough to know exactly where it is all stored. Think about who has access to your confidential data. Is it secure? Will you know if it gets compromised in any way? 

Multiple studies point to the growing relevance of these questions. The 2018 Data Security Confidence Index from Gemalto,for example, found that 65% of companies around the world say they “gather too much data”.  

54% of companies also didn't know where all of their sensitive data is stored, and 68% don’t do what’s necessary to maintain GDPR compliance. That’s terrifying, more than half don’t know where their data is stored, or if they’re GDPR compliant.  

While it’s pretty clear that our usage and reliance on data is set to grow, it’s unclear whether we’re doing all that we can to secure it. 

Operation Cloud Hopper: How a scam email brought down the world’s top companies 

Knowing how to meet the rising level of risk that accompanies the explosive growth of data becomes especially relevant in light of revelations from Operation Cloud Hopper.  

Operation Cloud Hopper is the name given to attacks on Managed Service Providers (MSPs) that were uncovered in 2016 in a joint effort by PwC and BAE SystemsThe research discovered that multiple service providers (like HPE and IBM) were the target of attacks by a group of Chinese state-linked hackers known as APT10. Customers hacked from these compromised MSPs included lifeblood companies around the world, such as Sabre, Ericsson, Syngenta and Huntington Ingalls. 

For all its sophistication, APT10 started the ‘Cloud Hopper’ attacks with a spear-phishing email, just like almost every common ransomware attack (see why I keep harping on about fortifying your email security?). APT10 spent significant time researching MSPs so they could send legitimate-looking emails that had a malware payload delivered either via attachments or web links. Once identified as a threat, they changed out the payload to a new one and continued the attacks. 

When they gained access into MSP systems through this malware, they could explore, find the jump servers - the way into MSP customers’ servers - and then take a look around, funnelling customer data out. 

What I think is the scariest part, though? The MSPs that were hacked were high-tech, sophisticated companies with cyber-savvy employees and the highest levels of security.  

If their networks can be compromised, so can anyone’s. How can you then safeguard your data and prevent your company from being hacked?  

Be proactive. Don’t wait until you are hit. 

Operation Cloud Hopper is firstly, a great example of the massive proliferation of data today. You simply can’t know how your data is being stored and accessed all the time. It may be accessed by an employee working overtime in your file storage room, or an external third-party vendor on another continent. Each time your data is accessed, it opens up a host of vulnerabilities in your data security defences that have the potential to compromise your company.   

Secondly, it’s a reminder of the importance of re-visiting your data security strategy regularly. 

I know companies typically put in place multiple measures to protect their data, but it’s becoming critical to continuously enhance and fortify those defences. There’s no way of knowing when and how you might be hit, but we DO know that cybercriminals will attempt to break into your systems at one point or another and take advantage of ANY possible vulnerability in your cybersecurity strategy.  

That’s why I always recommend a multi-layered tech stack as a must-have for businesses. This means looking at security from all sides, in the event that if one defence fails, the others will stop the incoming threat. 

An ideal multi-layered approach should consider: 

  • Protecting physical, email and web vectors against attack, 
  • Knowing where your critical information system assets reside, and who should have access to them, 
  • Continually evaluating user privileges by monitoring any escalations to ensure the integrity of user access, 
  • Adding additional controls to ensure transaction credibility, such as multi-factor authentication, 
  • Enforcing a stringent password policy that utilises a password manager to generate strong passwords, 
  • Keeping your networks updated and patched, 
  • Risk monitoring and reporting to enable a real-time assessment of the vendor risk profile, 
  • Vulnerability assessment testing which involves both automated tools and manual techniques, and 
  • Security monitoring to facilitate and prompt detection of unauthorised or malicious activities by internal or external actors. 

Don’t underestimate the importance of training and education  

The unpalatable truth behind Operation Cloud Hopper is that it could have been prevented if along with stringent email security measures, organisations had proper cybersecurity training in place and employees were better at identifying hoax emails from real ones. 

Not everyone in your organisation has to be an IT expert, but everyone should have a basic understanding of the cyber-threats like malicious email that they are likely to encounter on a daily basis. There are several inexpensive means of providing this information to them, such as finding free guidebooks online and/or workshops on how to be cyber secure. That’s why I wrote ‘Surviving the Rise of Cybercrime,’ a free e-book designed to give non-technical executives a basic understanding of cybercrime. You can download your free copy here, and share the link with others in your team. 

The explosive growth of data today requires an equally enthusiastic and effective campaign protecting that data. Adopting a multi-layered approach to securing your company’s cyber vulnerabilities may perhaps be your best bet in breach-proofing your company. Don’t wait to find out whether your company has been hit, act now.  

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.