The cloud offers an innovative solution as evolving cybersecurity threats require businesses to protect themselves with sophisticated tools.

Cybercrime has spiked significantly in recent years, particularly with ransomware attacks, which have skyrocketed 250 percent in the past year. More and more, small- and medium-sized enterprises (SMEs) are being targeted. The Canadian Cyber Incident Response Centre (CCIRC) recently found that while 90 percent of SMEs believe a cyberattack would have a serious impact on them, 50 percent also believe they wouldn’t be targeted.

SMEs make up an incredible 98 percent of Canada’s business landscape, and cybercriminals could target any one of them at any time. SMEs are vulnerable to the same cybersecurity threats as larger companies, and in fact are often more vulnerable due to a lack of awareness and resources. Cloud-based services can help to fill those gaps.

Third-party cloud security providers have evolved to try to meet cyberattackers’ increasing sophistication by offering services tailored to businesses in any sector or industry.

“Most small, medium enterprises (SME’s) probably have some kind of unified threat management system in place which may include firewall and intrusion prevention systems, but in the cloud, you’re able to consume a broader array of cloud services,” says Matthew Hoerig, President of the Cloud Security Alliance in Canada. Costly enterprise services such as data loss prevention (DLP), federated identity, and more contemporary offerings such as block-chain security, suddenly become feasible to SME companies because of the pay-as-you-go costing model. During contract negotiations with the cloud provider or CASB’s both parties should determine the kind of services an SME may require over the life of the contract. In an IaaS service model, the SME should be able to orchestrate whatever services the client deems necessary which then simply becomes part of the on-going subscription fees paid by the client.

Hoerig adds that these capabilities can be delivered in a highly scalable manner depending on the service delivery model (IaaS, PaaS, and SaaS) employed. Data protection is probably the most important area for an SME to consider when making the determination as to which cloud provider to engage with. With SaaS applications, the cloud provider may bear more of the responsibility for the protection of client data. However regardless of the exposure the provider may be subject to, an SME client cannot abdicate or abrogate its responsibility or liability — it is still the data owner. Due diligence is required on both sides to ensure that privacy, security controls, and audit requirements (where applicable) are considered.

Cloud 1.0 to 2.0

Hoerig adds, “currently a widely held view is that we are undergoing a transition from Cloud 1.0 to Cloud 2.0.” Currently Cloud 1.0 includes (but not necessarily limited to) elastic and scalable compute and storage infrastructure, canned security services, and typically monthly service subscription fees. Cloud 2.0 will incorporate many additional client benefits such as more granular pay-as-you-go models (per second billing), machine learning, and tools developed to mine the reams of data produced by IoT applications and sensors.

“These tools can help drive value by analyzing large amounts of data that can be monetized, providing greater value to the organization,” says Hoerig. “With Cloud 2.0 the ability to be more predictable and precise with billing, while enhancing services and security, may make cloud services a much more attractive option for SME clients.

Safety in numbers

CCIRC has monitored growth on all sides of the equation, working with all levels of government and the private sector. The Government of Canada created the national public awareness Get Cyber Safe campaign, to educate Canadians, including Canadian business owners, about internet security. Get Cyber Safe has put out a Guide for Small and Medium Business that provides practical advice on how businesses can protect themselves and their employees from cybercrime.

“Some organizations are extremely advanced and well prepared, with proactive policies from top to bottom so they know how to respond. Other organizations aren’t that sophisticated, and it cuts across all industries and sectors at various sizes,” says Adam Hatfield, Senior Director of the CCIRC. “If you’re following all of CCIRC’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions, you’re probably mitigating as much as 85 percent of the threat you face on any given day.”

Covering the balance is where the danger still lies, he adds, and that means being vigilant. For example, the WannaCry ransomware that made headlines exploited unpatched (that is, lacking the latest security updates) Microsoft Windows computers.

“If you’re a client who’s looking for a service, ask the security questions. Ask what the provider does for security, and what happens when there’s a breach. Ask how quickly you would be informed. Find out what liability is accepted by them versus what you’re responsible for,” says Hatfield. “If you’re not satisfied with the answers or they’re slow in coming, you may want to look elsewhere.”

SMEs using cloud-based services and providers are showing initiative and foresight when it comes to cybersecurity. That’s just good business.