For organisations whose hardware, software and data where the centre is located on site and directly under their control, organisations are free to determine their own security posture and policies. However, much of this oversight is lost when migrating to the Cloud. Most Cloud providers share a pool of resources between hundreds, if not thousands of other users.
Organisations may use the hardware and software provided – Software as a Service (SaaS). Other organisations want hardware and IT infrastructure – Infrastructure as a Service (IaaS). Some want something in between – Platform as a Service (PaaS). Each model places different levels of responsibility on the customer. Organisations must be clear what security measures they are expected to take and where the responsibilities lie.
The following points to take note when checking your security responsibilities:
1. Does the cloud encrypt stored data? Who has control of the encryption keys, if it’s the cloud provider how do you know that they will be kept secure?
2. When your data travels over the internet, will it be encrypted? A VPN gives a high degree of privacy when communicating with cloud applications.
3. When changing providers, or leaving the cloud environment, organisations need to know that data will be removed from all hard drives. In the cloud these resources will be reallocated to other users. Check how the provider intends to make data inaccessible to others and what guarantee they offer.
4. Many cloud providers offer self-service portals where you can access reports, logs. Check with the provider what these show and whether they give you adequate visibility of security incidents.
5. Check that any software used has been developed with security in mind.
6. Using the cloud is often seen as a way to provide business continuity and recovery. What if your cloud provider has problems? Check what redundancy and resilience the Cloud Provider has.
What is sensitive, private and confidential? Employees need to understand how valuable or sensitive data is, then it is more likely to be handled with the care and attention it deserves.
Most security incidents occur because of poor security policies. If employees are using poor passwords to connect to systems, or have access beyond that actually needed to do their job, then invest time and effort educating users.
Check that employee are trained to use applications correctly.
We are seeing a growing trend of so called ‘sextortion’ phishing emails. This is where the sender claims to have compromising images of the recipient and often the email will include a password that the victim has previously used, to add authenticity. Advice from Action Fraud.
These are fundamentally different to actual sextortion attempts where the sender does possess compromising images of the victim. The advice for this remains the same; anyone who is sent an email which includes compromising images and/or a request for payment should contact their local police force.
The free vouchers scam has moved to a new variant with phishing emails being sent to recipients claiming to be from Tesco, offering free vouchers. The email features a link for recipients to register and claim their free voucher which provides an opportunity for criminals to steal email logins, passwords and personal details.
A recent fraud involved the sale of a car where the suspect used the Covid19 lock down as a reason the victim could not see the vehicle and persuaded the victim to pay by bank transfer.
Reporting to Action Fraud can be done online or by calling 0300 123 2040. To report offers of financial assistance from HMRC, contact phishing@hmrc.gov.uk.
This advice has been collated by the East Midlands Regional Organised Crime Unit (ROCU) and is intended for wider distribution to raise awareness among businesses and the public.Advice and information is changing daily as we navigate our way through the COVID-19 pandemic, so please ensure you only take information from reputable sources.
If you require any further information, assistance or guidance please contact the ERSOU Protect Team CyberProtect@ERSOU.pnn.police.uk or your local Force protect team.
Message from: Mr Nigel Sutton 8517, Cyber Protect Officer.
Working together to deliver an inclusive and professional policing service with: Fairness, Integrity, Diligence and Impartiality
