Commercial Production Editor AccountingWEB.co.uk
Share this content

Human error is the biggest threat for cloud computing

21st Aug 2019
server room
istock_casarsaguru_sr

A recent report has concluded that the biggest threats to businesses using cloud technology are their employees, and that it is down to them to prevent most security issues.

Not-for-profit organisation the Cloud Security Alliance (CSA) published its Top Threats to Cloud Computing report with the aim of raising awareness of cloud security issues. The paper identified 11 security risks, and explained the potential business impact of each of the threats, and examine whether it can be prevented by the customer or the cloud solution provider (CSP).

Although in the early days of the cloud, users were often concerned about possible technology vulnerabilities or the risk of data loss, the CSA concluded that it is the customers who are responsible for most security issues, not the cloud provider.

In other words, the cloud won’t pose more or fewer security threats than an on-premise system. Instead, the customers and the security practices they implement can make the biggest difference to the safety of cloud tools. 

Cloud migration doesn’t improve weak security

According to the CSA, the shift towards user responsibility is due to the evolution of the cloud and the “maturation of the consumer’s understanding” and “indicate a technology landscape where consumers are actively considering cloud migration.”

However, the CSA warns that migrating from on-premises systems to the cloud doesn’t improve weak security practices and that it is actually the source of security issues when the migration isn’t carried out properly.

Besides highlighting the importance of carrying out a correct system configuration, the CSA also warns about threats involving targeted attacks.

In the accountancy sphere, convincing fake emails that contain malicious links or that ask for passwords or payments are an ongoing concern for practitioners, who are finding it is increasingly difficult to tell whether the emails they receive are genuine or not.

In a recent Any Answers post, an AccountingWEB reader sought advice after a client made a payment to a fraudsters’ account after the accountants’ email account was hacked.

Top security threats

Although the full list includes a total of 11 risks, the following are the top five security threats in the cloud, according to the CSA:

  1. Data breaches: Happening as a result of targeted attacks, human error and system vulnerabilities, the responsibility to prevent this type of issue is both down to the customer and the cloud service provider.
  2. Misconfiguration: Users are solely responsible for this second most common issue. As an example, the CSA points at leaving stored files unsecured, using the default credentials or not adapting the configuration settings to the business, which puts it at risk of data breaches and unauthorised deletion or modification of resources.
  3. Lack of security architecture: Many businesses are migrating their IT infrastructure to unsecured cloud servers, leaving their data exposed and putting them at risk of cyber-attacks.
  4. Insufficient access management: This occurs when users fail to use strong passwords, multifactor authentication and don’t follow the necessary steps to protect credentials and keys.
  5. Account hijacking: Cloud service accounts or subscriptions are the ones with the highest risk of this type of threat in which attackers take full control of an account, as well as its services and data.

Other risks identified by the CSA include insider threats, insecure interfaces, limited user visibility and the misuse of cloud resources.

Vulnerabilities and malware, the CSA concludes, are no longer the prime concern in cyber security. The focus should now be in the areas of configuration and authentication as well as “developing and enhancing cloud security awareness, configuration, and identity management”.

Replies (8)

Please login or register to join the discussion.

avatar
By tedbuck
22nd Aug 2019 11:09

Setting all that aside my concern is that the providers are selling hard to the man in the street. Experience so far indicates to us that the man in the street thinks it is wonderful and does everything for him. Unfortunately it doesn't and it also makes VAT errors very easy to achieve. VAT claimed on non-vatable invoices are common and VAT is often claimed where no invoices exist. One new client achieved a VAT overclaim of £1,581 in the year before he came to us. Easy to do because of the way the systems operate but painful to correct.
So I wholly agree that human error is the weakness but the software providers tell the public how simple it is to use their systems but it isn't if the public has no experience of bookkeeping software.
Stormy waters ahead I think and HMRC's claim that VAT errors will disappear is likely to prove rather false - but no surprise there.

Thanks (0)
avatar
By why always me
22nd Aug 2019 12:13

I have already moved several clients back to spreadsheets and bridging software as they simply could not cope with cloud software.
All for pushing forward, but forcing people to do it will not work. I hope the bridging option is still there for a few years.
Hard to argue with someone with a straightforward in and out spreadsheet where errors jump out at you as opposed to the various cloud providers.

Thanks (0)
avatar
By Dandan
22nd Aug 2019 13:28

Common sense says : Cloud is a computer that belongs to someone else and could be located anywhere in the world.

Although we are "reassured" that data is encrypted, this is misleading. If I can access my data, then it is not encrypted. All it takes is for my password to be compromised.

The whole cloud bandwagon seems to derive from the notion that we love to be connected to our confidential information anywhere , anytime. Is that so?

Yet, despite all the data breaches and hacked private photos and document, the populace out there seem to still be seduced by "cloud".

It is just a timebomb as some people are already starting to discover.

Strangely, I have yet to come across a medium -sized or large firm accountancy firm that actually put their own accounting data on third party cloud. It seems it is good enough for their small clients but a no no for themselves.

Thanks (0)
avatar
By LostinSuspense
22nd Aug 2019 14:48

I agree that the biggest threat is from Humans, but my concern is/are the data centres themselves.

How susceptible are they to physical breaches?

Why not hack a data centre and infect it with ransomwear?

These may well be easily answered, but as the man in the park, it is a concern I can see.

Thanks (0)
By coolmanwithbeard
23rd Aug 2019 06:45

Surely this has always been the case whatever the medium - right back to the days of Bob Cratchet and lots of handwritten ledgers. It is about appropriate policies and checks and balances in whatever system you use and ultimately someone who has enough nous to look at the results and have a feel for their accuracy. I am not convinced that errors just leap out of spreadsheets myself - but each to their own! I much prefer reviewing balanced up accounts on QuickBooks whether in the cloud or on the desktop.

Thanks (0)
avatar
By Brend201
23rd Aug 2019 12:54

No such thing as "on-premise system".
It's "premises", so the description would be "on-premises".
One of my bug bears.

Thanks (0)
avatar
By bobsto12
25th Aug 2019 12:17

Inclined to agree that fretting about particular issues with cloud software is not the point.
I once worked for a major plc at their head office and the servers with all the group financial data and legal records were physically stolen because the co secretary decided to let his sons scout group have access to the building out of hours. The back ups hadn't been done for months because of a bug that the it department knew about but had done nothing to fix.

Thanks (0)
Replying to bobsto12:
avatar
By Brend201
27th Aug 2019 10:27

Sorry, I'm going off-topic but this reminds me of a quoted PLC in Ireland, many years ago when I was an audit trainee (DP then, pre-IT). Disk drive with debtor records loaded, didn't work. The conscientious worker then loaded each of the previous backups in turn. Unfortunately, the read-write heads were faulty and were destroying the disks each time. Company had cash flow problems for a few months while trying to reconstruct.

Thanks (0)