An alarming story recently crossed my desk. Cybersecurity researcher Jeremiah Fowler discovered an unsecured cloud database containing 3 million records from thousands of credit unions across the United States.
Fowler believed the database was managed by a company called CU Solutions Group, a provider of technology and marketing services for credit unions. Fowler notified the company, and while they secured the database, it remains unclear who was responsible for the situation.
Stories like this give me pause. It hurts to think of all the credit union customers whose data may have been exposed. Time will tell if cybercriminals accessed the database before it was secured. In the meantime, every organization must think carefully about their cloud security, whether they handle it in-house or work with a cloud managed services provider.
While we don’t yet know how this happened, I have a few guesses. Here are 4 myths about cloud security that I’ve encountered far too often.
1. Cloud systems are “secure enough” out of the box
Cloud delivery comes with a certain mystique. Since the 2000s, we’ve heard nothing but praise for the cloud. There’s a perception that cloud is the future, it’s sexy, and it solves many problems.
Now, it does solve a lot of problems—although not every system is right for the cloud. (See our blog on Cloud Repatriation for more.)
But the cloud mystique often does more harm than good.
Again and again, I’ve encountered the assumption that cloud systems are more secure by default—that they don’t require thoughtful implementation and management of cybersecurity controls.
Nothing could be further than the truth. Any system can be hacked. Every system needs a team of cybersecurity experts monitoring it, preventing issues, and proactively responding the moment a threat appears.
In the case of cloud systems, the default cybersecurity settings are rarely good enough. How the system is used, how it integrates with other systems, and how it’s accessed all dictate what controls are required.
2. Cloud systems reduce the need for cybersecurity staff
Cloud systems rarely require fewer professional resources than on-premises. Yet many organizations don’t realize this. When they migrate critical systems to the cloud, they often downsize their IT staff or reduce their engagement with their MSP (managed IT services provider). They probably never had cybersecurity resources to begin with, so that’s not even on their radar.
The thinking goes something like this: “Since a third party is responsible for our infrastructure, we’re good, right? We don’t need expert resources in cybersecurity and IT?”
Sadly, this isn’t the case.
Cloud systems have just as many cybersecurity requirements. They absolutely need cybersecurity experts managing them (and monitoring them).
The difference lies only in the specialization. Cloud security requires a unique skillset.
Unfortunately, many organizations don’t know this. Even if they did, it’s unlikely they could hire those cloud security experts themselves.
3. It’s okay to use different teams (or providers) for IT and cybersecurity
Ten or twenty years ago, the cybersecurity landscape looked totally different.
While cloud delivery was an up-and-coming phenomenon, legacy systems prevailed, and they were hosted on premises. IT and cybersecurity teams were typically siloed. They tossed things at each other over the cubicle walls, but they didn’t work together around a single strategic plan. Their KPIs weren’t aligned either, which made it even harder to work synergistically.
I’m always amazed when I see this legacy model still in use today. It’s problematic for on-premises systems and cloud systems alike.
Typically, it looks like this. An organization may have a single IT person on staff, augmented by an MSP. The organization contracts with a different company for cybersecurity services and tries to act as a referee between the two vendors. The cybersecurity partner notifies the MSP and/or the client of any issues. But when it comes to incident remediation, the cybersecurity partner doesn’t actually provide that service. The client has to handle it on their own—or get their MSP to take care of it.
This model just doesn’t work.
In today’s fast-changing threat landscape, both cloud and on-premises systems demand synergy between IT and cybersecurity. You need one team handling both—so nothing falls through the cracks.
You also get better value when you outsource cybersecurity because you get access to experts without the cost of keeping them on staff. Your CFO will thank you—and you can rest well at night knowing you’re secure.
4. Our MSP says they “cover cybersecurity,” so we’re good
Many MSPs claim to handle cybersecurity. But the devil is in the details.
In fact, most MSPs outsource cybersecurity services to a third party. They simply don’t have the talent on staff, the dedicated SOC (security operations center), or the strategic perspective to manage both IT and cybersecurity for their clients.
You don’t want siloed teams for IT and cybersecurity. But MSPs outsourcing cybersecurity is especially troubling. It’s an especially bad kind of siloing.
Why?
Because the cybersecurity providers who work under this arrangement usually don’t remediate incidents. They only notify you (or your MSP) that the house is on fire.
That might work if you or your MSP had cybersecurity experts on staff. But you’re in this situation because you don’t have those resources—and neither does your MSP.
It’s worth looking for a combined MSP/MSSP who offers a cybersecurity service guarantee. This is a promise to cover the cost of services to remediate a cybersecurity incident. Learn more here: Corsica Technologies Service Guarantee.
The takeaway: Cloud security requires cohesive strategy + expert resources
At the end of the day, I wish we’d been there for the credit unions and their customers whose data was exposed. Visibility, monitoring, and proactive engagement are the processes that detect, respond, and ultimately prevent events like this from happening. Corsica’s model would have ensured that the threat landscape and exposure was known.
That level of security takes effort. Cloud systems don’t come with perfect default security—and they still need talented professionals managing them. Yet it’s challenging to hire and retain these resources, and many MSPs don’t actually offer comprehensive coverage (or true synergy between cybersecurity and IT).
Corsica Technologies exists to solve this issue. Our integrated team handles both IT and cybersecurity from top to bottom. You get a cohesive strategy with a 3-year roadmap, 24/7/365 monitoring, incident remediation, and more. This comprehensive approach is essential to securing all your systems and data. When security incidents like data leaks happen, it only enforces the need for more education around cloud security and knowing the right questions to ask before it’s too late.
Want to learn more about cloud security?
Reach out to schedule a consultation with our security specialists.
