Back to blog Cloud Security Risks: Securing Buy-in from Internal Stakeholders

If you’ve ever needed to get sign off from your board for cloud services, you may have already experienced varying degrees of scepticism or faced a barrage of questions based on outdated and unfounded fears about security.

In this blog, we aim to arm you with the tools to address these concerns upfront and get the board onside straight away.

Speak the language of the board

IT experts have a habit of leading with technical language and dropping in too many acronyms, assuming everyone has the same understanding of technology. As a result, the audience is confused, alienated and will switch off. If your board or senior stakeholders don’t understand you, they are naturally going to be more hesitant about what you are asking from them.

Quite simply, the c-suite and senior executives care about business. Their primary concerns involve mission-critical operations and bottom-line profits. Cloud security risks can threaten their business, so present your case in the right way and you will have the ear of the board. Cloud security is just like any other business function and needs to be presented as such.

When presenting to the key stakeholders focus on business metrics. Quantify how much monetary loss your systems have prevented and how much money can be saved by making the investment you are asking for. To think about cloud security as a business function you need to think about how much resilient your infrastructure will be after the required investment.

If the new solution increases resiliency by 25%, the board will understand what you are proposing. If you go in talking about building a multi-node, multi-tiered redundant stack, you will almost definitely be met with a room of blank faces. Nothing makes it simpler for the board than visuals, numbers and charts that convey the core benefits at a glance.

New call-to-action

Outline the current challenges

Once you have the attention of the board, you need to present your requirements in a way that they will understand. Frame your cloud security requirements in terms of the challenges the business is facing. You may wish to focus on the risk to business operations.

The board may not accept that the risk you present is real. If that happens, it could be wise to look at the issues that will get their attention. Try to identify the challenges keeping directors up at night that can be addressed by your requested investment? Is it, for example, the catastrophic potential of a data breach, or ways to address the increasingly complex regulatory landscape?

If you can show progress toward their objectives by delivering one of your own, it’s going to be an easier sell. Despite talking challenges, avoid being negative, aim to stay positive and focused on business outcomes, not technology.

Common cloud security risks and how you can alleviate them

1.Distributed-Denial-of-Service Attacks (DDoS)

DDoS stands for Distributed Denial of Service, which refers to the deployment of hundreds to hundreds of thousands of internet bots. They are designed to attack a single server, network or application with an overwhelming number of requests, thereby denying service to legitimate users.

High-profile DDoS attack targets have included Github, which was hit with a sudden onslaught of traffic that clocked in at a record-breaking 1.35 terabits per second. Cloud providers offer DDoS mitigation as part of their offering, usually for an additional fee.

With a managed services provider, this may be part of a service wrap and with the public cloud, look for services such as AWS Shield and Azure DDoS Protection.

2.Threat from Within

One of the biggest security threats comes from within your own company. This includes staff not doing what they should or doing things that they shouldn’t. Bring Your Own Device (BYOD) adds many endpoints that access cloud solutions on your network, increasing the risk of a breach.

The board themselves present a risk, which is why we recommend conducting staff training and education starting with the board and senior management. This training should include proper practices to protect data and ensuring this is an ongoing process. Audit who has access to systems, the level of access they have and restrict it where possible, especially with critical systems.

This training should also cover anyone who has access to the company’s systems outside of your employees (contractors, non-execs, trusted partners). It’s unlikely that they will create a malicious attempt to disrupt your business, but they could unintentionally put data and systems at risk through negligence.

3.Data Breaches, Data Loss and Inadequate Data Backups

Data breaches and data loss can damage a company's reputation and finances. They could potentially result in loss of intellectual property and significant legal liabilities. This will be a big concern for your board, and it is usually behind their resistance to adopt cloud services. There are a number of things you can do to reduce your risk, and these should be communicated with the stakeholders.

Inadequate data backup has many businesses vulnerable to ransomware that encrypts a company's data, only allowing them to access the data once a ransom has been paid.

With appropriate data backup, your company should not fall prey to this type of attack. Some attackers specifically want the data so you should define the value of your data and the impact of its loss. Understanding who has access to data is a key question in protecting it. Data that is internet accessible is most vulnerable to misconfiguration or exploitation. You should create a robust, tested incident response plan that takes your public and private cloud instances into account.

4. System Vulnerabilities

Cloud providers take security seriously, but it is still up to you to secure your data in their cloud. Creating a hybrid or multi-cloud infrastructure can create system vulnerabilities.

Patching and upgrade protocols, in addition to network monitoring solutions, are essential for fighting this threat. While this may be too technical to delve into with senior executives, the takeaway for them is the fact you have a proactive programme in place and fully understand the risks.

5. Misconfiguration and inadequate change control

Accidentally exposing data via the cloud is often the result of poor change control practices which result in misconfiguration errors. Your company may well have a cloud environment that is growing in complexity, which will make it more difficult to configure. You will need to adapt your controls and change management approaches to take into account your cloud infrastructure. Demonstrating operational maturity will go down well with people authorising your budget.

Need a cloud provider who can help you build the business case for change? Whether it’s security-specific or just one aspect of a larger infrastructure update, we’re here to help. Get in touch today to kick off the conversation.

CTA to subscribe to the Cloudhelix blog

Posted in Cloud Consulting, Managed Cloud on Dec 09, 2019