KPMG’s latest report, Securing the cloud has detailed the need for security teams to move beyond traditional approaches to effectively manage security and protect vital business assets in today’s new reality and threat landscape.
“Cloud investment was considered the third most important technology investment during the onset of Covid-19. But in the rush to shift online, businesses may have taken an ‘act now, ask questions later’ approach to their digital transformation and cloud implementation. This could mean some sizeable gaps in their cloud security, leaving them vulnerable to new forms of cyberattacks,” cautioned Alvin Gan, Head of IT-enabled Transformation at KPMG in Malaysia.
“In fact, our 2020 KPMG/Harvey Nash CIO Survey revealed that 4 in 10 IT leaders reported their company having experienced an increase in cyber-attacks last year. Unless they begin enacting crucial steps to better govern their cloud security solutions, an attack on their system becomes a matter of ‘when’, not ‘if’,” he added.
Holding the threat landscape at bay requires security teams to move well beyond manual asset management and configuration, access reviews and incident playbooks. Here are some key lessons and insights that can provide companies with practical steps to effectively govern cloud security solutions:
- Beware of threats lurking in the shadows
A ‘shadow cloud’ concerns the use of cloud infrastructure, services and applications outside the boundaries of an organization’s corporate IT policies. These solutions will usually result in an increased risk of exposure for corporate data, personally identifiable information and intellectual property.
Organizations should enact efficient oversight and governance of cloud technology to discourage staff and stakeholders from deploying shadow cloud solutions and this includes addressing shadow cloud issues in policies and employee standards, or blocking access to unauthorized cloud-based applications.
- Cloud-based email — opening the front door to attacks
While cloud-based email offers much needed flexibility to businesses enduring today’s disruptive pandemic, the convenience can also unknowingly grant access to crafty hackers at anywhere, anytime. This has given rise to large-scale business email compromise (BEC) attacks.
Common cloud-based email services often come with a suite of authentication and monitoring capabilities as add-ons, which should be carefully maintained to effectively detect malicious activity.
- Test your incident playbooks
Security teams are often reassured by the range of security monitoring tools offered as standard by cloud service providers. This could result in a false sense of security as incident response procedures look and feel different in the cloud. Thus, security teams must not be complacent and should ensure they adapt their incident response procedure to be effective in the cloud.
“Maintaining customer trust in such a volatile situation is more challenging than ever before. Companies should move boldly and strategically to better safeguard their enterprise assets and customer data, ensuring they have the right systems and controls in place to protect their business, their customers, and avoid a cyber security breach which can result in reputational and financial damage,” concluded Alvin.
To download the report and for more insights, visit www.kpmg.com.my/insights
 2020 KPMG/Harvey Nash CIO Survey