PETALING JAYA, 19 January 2021 — With continued lockdowns and restricted movements around the world, businesses took to the cloud to foster remote working environments, continue reaching their customers online and to protect their data. The remarkable acceleration of cloud services adoption during the pandemic isn’t a temporary trend, and it is vital to ensure that these services are governed and monitored by corporate IT, risk and cyber security professionals who understand today’s emerging threats and regulatory requirements.
KPMG’s latest report, Securing the cloud, details the need for security teams to move beyondtraditional approaches to effectively manage security and protect vital business assets in today’s new reality and threat landscape.
“Cloud investment was considered the third most important technology investment during the onset of COVID-19. But in the rush to shift online, businesses may have taken an ‘act now, ask questions later’ approach to their digital transformation and cloud implementation. This could mean some sizeable gaps in their cloud security, leaving them vulnerable to new forms of cyberattacks,” cautions Alvin Gan, Head of IT-enabled Transformation at KPMG in Malaysia.
“In fact, our 2020 KPMG/Harvey Nash CIO Survey revealed that 4 in 10 IT leaders reported their company having experienced an increase in cyber-attacks last year. Unless they begin enacting crucial steps to better govern their cloud security solutions, an attack on their system becomes a matter of ‘when’, not ‘if’,” he added.
Holding the threat landscape at bay requires security teams to move well beyond manual asset management and configuration, access reviews and incident playbooks. Here are some key lessons and insights that can provide companies with practical steps to effectively govern cloud security solutions:
A 'shadow cloud' concerns the use of cloud infrastructure, services and applications outside the boundaries of an organization's corporate IT policies. These solutions will usually result in an increased risk of exposure for corporate data, personally identifiable information and intellectual property.
Organizations should enact efficient oversight and governance of cloud technology to discourage staff and stakeholders from deploying shadow cloud solutions and this includes addressing shadow cloud issues in policies and employee standards, or blocking access to unauthorized cloud-based applications.
While cloud-based email offers much needed flexibility to businesses enduring today’s disruptive pandemic, the convenience can also unknowingly grant access to crafty hackers at anywhere, anytime. This has given rise to large-scale business email compromise (BEC) attacks.
Common cloud-based email services often come with a suite of authentication and monitoring capabilities as add-ons, which should be carefully maintained to effectively detect malicious activity.
Security teams are often reassured by the range of security monitoring tools offered as standard by cloud service providers. This could result in a false sense of security as incident response procedures look and feel different in the cloud. Thus, security teams must not be complacent and should ensure they adapt their incident response procedure to be effective in the cloud.
“Maintaining customer trust in such a volatile situation is more challenging than ever before. Companies should move boldly and strategically to better safeguard their enterprise assets and customer data, ensuring they have the right systems and controls in place to protect their business, their customers, and avoid a cyber security breach which can result in reputational and financial damage,” concluded Alvin.
To download the report and for more insights, visit www.kpmg.com.my/insights
© 2021 KPMG PLT, a limited liability partnership established under Malaysian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.