By Milad Aslaner, Head of Technology Advisory Group, SentinelOne

Despite their ethereal appearance, when it comes to computing, clouds are the bedrock of most organisations’ daily business activities. In fact, 89 percent of organisations report having a multi-cloud strategy, per the 2022 State of the Cloud Report.

And although there are hundreds of cloud platform services, in the finance sector, there is a marked concentration on a small number of cloud vendors. In fact, over 65 percent of UK banking and insurance firms used the same four cloud providers in 2020, according to HM Treasury’s policy paper. This comes with inherent risks, which left unmitigated, could pose a serious threat to the UK’s financial services sector.

What are the actual risks posed to the financial by cloud-based services and what can businesses do to protect against them?

Vulnerabilities in the cloud

At first glance, there isn’t much downside to UK firms increasingly turning to the cloud, as it simplifies digital transformation, and consolidation of tech portfolios arguably makes the job of monitoring threats easier. However, the lack of diversity when making that choice of vendor exposes financial organisations to the vulnerabilities intrinsic to their chosen cloud service. 

When it comes to threat actors’ targets, Microsoft is in the firing line. For instance, security researchers discovered Microsoft Office 365 has inherent flaws which would enable hackers to encrypt files created and stored on SharePoint and OneDrive, aiding in the proliferation of so-called double-extortion ransomware attacks. Vulnerabilities like this could ravage a financial organisation, compromising the integrity of the UK financial sector as a whole. 

Likewise, SentinelLabs disclosed a privilege escalation vulnerability in Windows Defender in 2021 that was undiscovered for 12 years. This was a severe vulnerability as it allowed attackers to maliciously escalate privileges from a non-administrator user. Windows Defender is deeply integrated into the Windows operating system and is installed by default on every Windows machine (more than one billion devices), so any vulnerabilities will have far reaching consequences.

As well, all Microsoft services are dependent on Azure Active Directory for Identity and Access Management (IAM). When a threat actor can compromise a user identity with elevated privileges, like the security administrator role, they can evade all of Microsoft’s defence measures and security tools. Consequently, being overly de pendent on a single vendor can expose organisations to significant risks. 

Cloud Misconfiguration

Another significant threat to cloud security comes from cloud misconfiguration. In fact, 27 percent of organisations experienced a security incident in their public cloud infrastructure, per the 2022 Cloud Security Report, and nearly one in four of those were caused by cloud misconfigurations.

Many organisations mistakenly assume that Cloud Service Providers will secure the cloud, but it’s still the cloud user’s responsibility to apply updates to their applications and software. Missing updates and patches can lead to enterprise breaches. 

Also, configuration oversights can often lead to customer data being mistakenly left publicly accessible, or easily accessible, to attackers. Although this isn’t a risk solely limited to the cloud, it’s far more common now due to the complexity of cloud services configurations and because cloud services are so widely used. 

Insider threat: the risk from within

When it comes to attacks that target Microsoft environments, on top of cloud vulnerabilities and misconfigurations, the insider threat is a key factor. The insider threat can be unintentional – people with access to the corporate system who make an innocent or careless mistake resulting in a cyber attack – or intentional, by malicious insiders with access who intentionally cause a breach. 

Mimecast research shows that 90 percent of breaches occur because of human error. One of the most effective solutions to reduce the risk of your own staff falling foul of a breach is to conduct an effective security awareness programme. Nobody is perfect and mistakes do happen, so fostering a culture of cyber-awareness is crucial. 

People, Process and Technology

Given the threats posed by cloud misconfigurations, cloud vulnerabilities, and insider threats, how can organisations reduce the risk of a breach? This requires a multi-faceted approach, and understanding the requirements across people, processes, and technology.

People

When it comes to the incautious insider threat, it’s important to remember that no one is immune from making mistakes and from falling for a targeted social engineering attack. Make sure that staff know precisely what their privilege levels are, how they can contribute to securing the organisation, and how to spot and report suspicious activity before it’s too late. 

Processes

Consistent processes are vital and need to be reinforced. Having a device usage policy is one thing, but it needs to be clear about what employees can or cannot do, explicit about the relevant security controls that need to be in place and enforced to be effective. The same goes for reporting possible security incidents. In addition to defining reporting processes with clarity, it’s essential that they are getting tested to ensure the security team can identify trouble areas.

Technology

The right technology is vital to combatting cloud attacks. For many enterprises, the IT and security team support various operating systems, cloud services, and endpoint types. This often means a combination of legacy and modern systems, resulting in anywhere from 25 to 49 different tools from 10 or more vendors to detect, triage, investigate or hunt for threats. 

Finance firms should be looking for platforms that can help them holistically, rather than focusing on individual silos. Security platforms that can detect, protect and respond to threats across the entire estate – and integrate capabilities like extended detection and response (XDR) and identity threat detection and response (ITDR) – are the ones that will ensure that organisations are best securing the cloud, and beyond.

Conclusion

Cloud computing offers finance firms a number of benefits, from unlimited storage and the ability to scale computing, to compliance and mobility.  But it is essential to understand the cyber threats inherent to the cloud, and that securing cloud services isn’t the sole responsibility of the Cloud Service Provider. Finance firms need to look at the bigger picture and understand the risks across different surfaces – identity, email, endpoint, network – and identify ways to protect, detect, respond, and recover from cyber threats across the entire digital estate.