fbpx
Search
Close this search box.

4 Cloud Security Myths Busted By Credit Union Data Leak

4 Cloud Security Myths Busted by Credit Union Data Leak - Corsica Technologies
4 Cloud Security Myths Busted by Credit Union Data Leak - Corsica Technologies

An alarming story recently crossed my desk. Cybersecurity researcher Jeremiah Fowler discovered an unsecured cloud database containing 3 million records from thousands of credit unions across the United States.

Fowler believed the database was managed by a company called CU Solutions Group, a provider of technology and marketing services for credit unions. Fowler notified the company, and while they secured the database, it remains unclear who was responsible for the situation.

Stories like this give me pause. It hurts to think of all the credit union customers whose data may have been exposed. Time will tell if cybercriminals accessed the database before it was secured. In the meantime, every organization must think carefully about their cloud security, whether they handle it in-house or work with a cloud managed data center services provider.

While we don’t yet know how this happened, I have a few guesses. Here are 4 myths about cloud security that I’ve encountered far too often.

1. Cloud systems are “secure enough” out of the box

Cloud delivery comes with a certain mystique. Since the 2000s, we’ve heard nothing but praise for the cloud. There’s a perception that cloud is the future, it’s sexy, and it solves many problems.

Now, it does solve a lot of problems—although not every system is right for the cloud. (See our blog on Cloud Repatriation for more.)

But the cloud mystique often does more harm than good.

Again and again, I’ve encountered the assumption that cloud systems are more secure by default—that they don’t require thoughtful implementation and management of cybersecurity controls.

Nothing could be further than the truth. Any system can be hacked. Every system needs a team of cybersecurity experts monitoring it, preventing issues, and proactively responding the moment a threat appears.

In the case of cloud systems, the default cybersecurity settings are rarely good enough. How the system is used, how it integrates with other systems, and how it’s accessed all dictate what controls are required.

Cloud security staffing requirements - Corsica Technologies

2. Cloud systems reduce the need for cybersecurity staff

Cloud systems rarely require fewer professional resources than on-premises. Yet many organizations don’t realize this. When they migrate critical systems to the cloud, they often downsize their IT staff or reduce their engagement with their MSP (managed IT services provider). They probably never had cybersecurity resources to begin with, so that’s not even on their radar.

The thinking goes something like this: “Since a third party is responsible for our infrastructure, we’re good, right? We don’t need expert resources in cybersecurity and IT?”

Sadly, this isn’t the case.

Cloud systems have just as many cybersecurity requirements. They absolutely need cybersecurity experts managing them (and monitoring them).

The difference lies only in the specialization. Cloud security requires a unique skillset.

Unfortunately, many organizations don’t know this. Even if they did, it’s unlikely they could hire those cloud security experts themselves.

3. It’s okay to use different teams (or providers) for IT and cybersecurity

Ten or twenty years ago, the cybersecurity landscape looked totally different.

While cloud delivery was an up-and-coming phenomenon, legacy systems prevailed, and they were hosted on premises. IT and cybersecurity teams were typically siloed. They tossed things at each other over the cubicle walls, but they didn’t work together around a single strategic plan. Their KPIs weren’t aligned either, which made it even harder to work synergistically.

I’m always amazed when I see this legacy model still in use today. It’s problematic for on-premises systems and cloud systems alike.

Typically, it looks like this. An organization may have a single IT person on staff, augmented by an MSP. The organization contracts with a different company for cybersecurity services and tries to act as a referee between the two vendors. The cybersecurity partner notifies the MSP and/or the client of any issues. But when it comes to incident remediation, the cybersecurity partner doesn’t actually provide that service. The client has to handle it on their own—or get their MSP to take care of it.

This model just doesn’t work.  

In today’s fast-changing threat landscape, both cloud and on-premises systems demand synergy between IT and cybersecurity. You need one team handling both—so nothing falls through the cracks.

You also get better value when you outsource cybersecurity because you get access to experts without the cost of keeping them on staff. Your CFO will thank you—and you can rest well at night knowing you’re secure.

Cloud security - not every MSSP actually covers cybersecurity - Corsica Technologies

4. Our MSP says they “cover cybersecurity,” so we’re good

Many MSPs claim to handle cybersecurity. But the devil is in the details.

In fact, most MSPs outsource cybersecurity services to a third party. They simply don’t have the talent on staff, the dedicated SOC (security operations center), or the strategic perspective to manage both IT and cybersecurity for their clients.

You don’t want siloed teams for IT and cybersecurity. But MSPs outsourcing cybersecurity is especially troubling. It’s an especially bad kind of siloing.

Why?

Because the cybersecurity providers who work under this arrangement usually don’t remediate incidents. They only notify you (or your MSP) that the house is on fire.

That might work if you or your MSP had cybersecurity experts on staff. But you’re in this situation because you don’t have those resources—and neither does your MSP.

It’s worth looking for a combined MSP/MSSP who offers a cybersecurity service guarantee. This is a promise to cover the cost of services to remediate a cybersecurity incident. Learn more here: Corsica Technologies Service Guarantee.

The takeaway: Cloud security requires cohesive strategy + expert resources

At the end of the day, I wish we’d been there for the credit unions and their customers whose data was exposed. Visibility, monitoring, and proactive engagement are the processes that detect, respond, and ultimately prevent events like this from happening. Corsica’s model would have ensured that the threat landscape and exposure was known.

That level of security takes effort. Cloud systems don’t come with perfect default security—and they still need talented professionals managing them. Yet it’s challenging to hire and retain these resources, and many MSPs don’t actually offer comprehensive coverage (or true synergy between cybersecurity and IT).

Corsica Technologies exists to solve this issue. Our integrated team handles both IT and cybersecurity from top to bottom. You get a cohesive strategy with a 3-year roadmap, 24/7/365 monitoring, incident remediation, and more. This comprehensive approach is essential to securing all your systems and data. When security incidents like data leaks happen, it only enforces the need for more education around cloud security and knowing the right questions to ask before it’s too late.

Want to learn more about cloud security?

Reach out to schedule a consultation with our security specialists.

Brian Harmison
Brian Harmison is the CEO of Corsica Technologies, a leading IT solutions provider, with over two decades of experience in technology. He has held key leadership positions in renowned technology companies, specializing in IT strategy, cybersecurity, and managed services. His vision has driven Corsica Technologies’ growth and transformation, making it a trusted partner for IT solutions and cybersecurity services. Through collaboration, mentorship, and team development, Brian positions Corsica Technologies for continued success and innovation in IT and cybersecurity.

Related Reads

Business IT Support - 17 real-life examples - Corsica Technologies

Business IT Support: 17 Real-Life Examples

Who’s going to support your business’s IT systems? If you don’t have people on staff, or if your existing staff can’t cover all your needs, you may choose to work with an MSP (managed IT services provider). This type of

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.