Working in the cloud has many advantages, including the ability to access data from anywhere, a low cost to adopt new software tools, and business continuity.
But most cloud accounts are only protected by the weakest user password, which leaves them significantly vulnerable to an attack. Just one hacked user account and an attacker could have access to your entire cloud storage account and its data, company email accounts, and more.
The move to the cloud that we’ve experienced over the last 15 years, and which the pandemic accelerated, has led to a rise in cloud jacking.
What’s Cloud Jacking?
Cloud jacking can also be described as an insider attack when perpetrated by an unauthorized user. The attacker is using a legitimate user account to log into your cloud platform. Having login credentials is like the “keys to the kingdom” and removes the need to “hack” anything. Attackers simply log in and can take over an account. If that account happens to have administrative privileges, the damage they can do rises significantly.
Over the last year, cloud account attacks have increased by 630%.
Without proper IT security protection, your cloud accounts can be at risk of being hijacked. Once inside, attackers can do multiple things, depending upon the account type, including:
- Accessing company email
- Sending phishing/spam from your company email address
- Accessing sensitive information
- Infecting cloud storage with ransomware
- Adding and removing users
- Changing your cloud security settings
- Accessing banking or credit card details
How to Secure Your Cloud Accounts from an Attack
Have an IT Pro Configure Cloud Security
Are your cloud accounts left at the default security settings? This can lead to a vulnerability called misconfiguration. This is when a cloud account isn’t configured properly for your business security needs.
An average of 45% of all cloud security incidents are due to misconfiguration. Companies aren’t sure what settings to use or try to adjust settings themselves, missing a vital protection feature.
It’s best to have an IT pro, like Connect2Geek, go in and configure accounts like Microsoft 365 and others to ensure you have the right level of security needed to keep your data and accounts safe.
Enable Two-Factor Authentication on All Cloud Accounts
Too many companies don’t use two-factor authentication (2FA) because they don’t want to inconvenience their users. But that one simple step can block 99.9% of all fraudulent cloud sign-in attempts.
Even if an attacker has a user password, there’s a high likelihood that that won’t have their mobile phone or another device they use to receive the 2FA code required for login.
To simplify the process for users, you can use a single sign-on (SSO) solution that will reduce the number of times a user needs to enter the 2FA code to access their accounts.
Keep Your Cloud Applications Updated (Including On-Device Apps)
Some, but not all, cloud applications will update automatically to ensure any security patches are applied. But this isn’t always the case, especially if you’re using a hybrid cloud solution that also includes downloadable software, like Microsoft 365 or Adobe Creative Cloud.
You want to ensure that all users are keeping any cloud software that is downloaded as a desktop or mobile app properly updated and patched.
While misconfiguration was the top reason for cloud security breaches, the #2 cause (in 38% of incidents) was the lack of applying a patch for a known vulnerability.
Train Users Regularly on Phishing Awareness
Theft of login credentials has become one of the main purposes of phishing attacks. Users will receive emails that look like a OneDrive sharing request or that are telling them they need to update their login details for a cloud account.
If users don’t know what to look for, they can get taken in by these fakes and end up logging in with their cloud credentials to a phishing site. Once the attacker has their credentials they deploy an automated attack, so even if the user changes their password, it’s too late, the account has already been infected.
It’s important to conduct ongoing phishing awareness training so users remember to keep on guard for any unexpected emails in their inbox, even if they look exactly like a legitimate one.
Some of the things that users need to be trained on include:
- Hovering over links without clicking to reveal the real URL
- Not interacting with an unexpected email
- That phishing often uses emotional triggers
- Where to send a suspicious email to get it checked for validity
- How to look for slight misspellings in URLs that are close to the real thing
Schedule a Cloud Security Checkup Today!
Don’t leave your cloud accounts unprotected! Connect2Geek can help your Treasure Valley business with expert cloud security configuration as well as setup convenient 2FA that protects your accounts.
Schedule your free consultation to learn more today! Call 208-468-4323 or reach out online.