April 24, 2019 by Jason Contant
As businesses increasingly move to the cloud to provide services, their cyber risk is also being greatly heightened, a cyber security professional told Canadian Underwriter recently.
Many companies are outsourcing sensitive activities such as human resources or payroll to cloud providers. But with this shift to the cloud comes more risk, particularly through something like a phishing email scam, in which a cyber criminal tries to convince an employee to divulge personal information like a username and password.
“We are getting much more risk, much more impact to these [cyber] losses now,” said Manish Khera, cyber security incident response and investigations leader with Ernst and Young Canada. “Because once an adversary gets access to your mailbox with a phish email scam, they can now log in to your cloud services with that same email and password to put the company at great risk.”
That risk could come in the form of “stealing HR data, personally identifiable information or montaging some sort of process that you have in place in a cloud service.” For example, it could involve payroll, it could be redirecting payouts; it could be involve accounts payable or paying vendors.
If they phish the “right person,” such as an IT administrator, or an HR, payroll or accounts payable employee, “you can have a lot of risk there,” Khera said.
He spoke to Canadian Underwriter last week about mitigating cyber risk. He was also part of the panel discussion People Problems on Apr. 5 at NetDiligence’s Cyber Risk Summit in Toronto. Among the topics discussed was breach prevention and mitigation techniques.
What can employers do to make sure end users don’t fall victim to scams? Proper training is key, Khera says. For the general end user population, there could be anti-phishing training, where a “test” phishing email is sent to the employee. If the employee clicks on the link by accident or enters their credentials, they will be given a training session or warning.
Privileged users that have access to more sensitive information or data can be given more targeted training. For example, they could better protect their environment by using multi-factor authentication.
There are other mitigating controls for more technical users. This could come in the form of a plug-in for a browser that lets the user know their “username and password has been compromised in a breach at XYZ Company,” Khera said. “Therefore, you know better than to use that username/password combination again,” he said, noting that there are “a couple billion different username/password combination out there in the environment that you could buy as an adversary.”