Cyber security refresh: how secure is your cloud?

One in eight charities experienced cyber crime over the last 12 months, according to research from the Charity Commission. Yet many charities remain unprepared for a cyber attack and lack a plan to prevent one.

In 2023, charities should make cyber security their new resolution. As cyber threats continue to grow in sophistication and frequency, it is important that charities protect themselves, looking after the data of their audiences and ensuring that vital services can continue, particularly as demand rises due to the cost-of-living crisis. 

One really great place to start is through the Cyber Essentials Readiness Tool. Developed by IASME on behalf of the National Cyber Security Centre, the Readiness Tool is a free, online tool that comprises a set of interactive questions on the IASME website. The process of working through the questions will inform you about your charity’s level of cyber security and what aspects you need to focus on.  

Based on your answers, you will be directed towards guidance written in plain English and, at the end of the process, you will be presented with a tailored action plan and detailed guidance for your next steps towards becoming certified for cyber security.  

Many charities have already made use of the Cyber Essentials Readiness tool and found that they are well on their way to implementing all five controls needed for cyber certification. But there are a few specific pain points that are creating barriers to getting certified.

One of those is the ‘shared responsibly’ security arrangement for cloud services. Data from IASME showed that only 48.9% of charities going through the Readiness Tool understood what this means.  

In this article, we will discuss the basics of cloud services, the security of those services, and who is responsible for the security. 

Cloud services are not secure by default  

The five core controls of Cyber Essentials will help protect your charity’s data and services from the majority of common cyber attacks. The five controls also need to be applied to all cloud services.  

Why is this? Surely, we can rely on Google, Microsoft, Amazon, or whoever the cloud service provider is to take care of security? Many cloud providers do ensure the security controls are in place, but the user often has to set up some of the controls themselves. 

Think of it this way, when you sign up for a social media account, it is possible to log in and immediately start posting ‘whatever is on your mind’. Most social media sites are designed to optimise openness to encourage social networking and will automatically have maximum sharing as a default setting.  

This means that before you post any information or images, it would be wise to look up the way the settings work to decide the appropriate level of privacy for you.  

In a similar way, when you sign up to a cloud service, you have responsibility for the technical setup including the security settings of the service. It is not all down to the provider. If you do not do this, you may have little to no security, which is news for many people. 

Did you know the first account that is set up on Microsoft 365 by default is a global admin? These accounts will have full power to configure and change the settings and controls of everything in your organisation’s account.  

If this account is set up without the necessary security controls and then hacked, an attacker could access your whole system and possibly take all the data out of the organisation. This could completely wipe out a charity. 

The huge control panels within the admin centre for a cloud service in Microsoft or Google can be a daunting prospect, and anyone setting up accounts will need to set role assignments, groups and permissions to each account as well as passwords and multi-factor authentication.  

This is the same whether you are a large enterprise or a micro charity and therefore expert guidance in configuring these settings may be a necessity. 

 Small charities that have not fully or correctly configured their cloud service accounts can be easy prey for attackers and this makes them high risk for donors, funding contracts and supply chains. 

Do your homework 

When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud provider that is responsible for implementation, whereas for other features, it is the user organisation (your charity). Who implements which controls will vary depending on the design of the cloud service being subscribed to.  

Working with a cloud provider can be unfamiliar and new for some charities and it is helpful to outline from the start where the line is between the cloud provider’s security responsibilities and those of your charity.  

Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards, and different contact points.  

The charity director or IT manager should reference their service-level agreements (usually within the small print that you sign up to when you buy the service) and clear up any confusion with the provider when necessary to ensure a successful security strategy.  

Understanding and documenting your responsibility for the security controls for each of your cloud providers is important.  It is a good idea to have security in mind when researching a cloud service product in the first place, and to document a named point of contact to help and support your charity if there are difficulties.  

Ensuring the cloud is secure 

With 24/7 onsite security, advanced encryption, secure backups, and firewall protected servers, most cloud service providers have invested in security features that you could never match if you used your own servers. It is worth bearing in mind, however, that not all cloud service providers understand or value security.   

It is essential that you research the security controls used by the cloud service provider before entrusting organisational data to that service. Have you checked the security features of the platform you’re using? 

What should you look out for? 

You should start by looking for the following: 

• The location of the servers in ‘the cloud’ that hold your data.  This is the legal location of the data, and if that is ‘personal data’ you may be breaking GDPR regulations if it is located outside the UK or the European Union 
• A cloud service provider that has the option to enable multi-factor authentication to access all accounts 

• The data centres that hold your organisational data. These should hold an internationally recognised security standard such as ISO 27001 

In the Cyber Essentials requirements, it specifies that where the cloud provider implements a control, it is your responsibility to satisfy yourself that this has been done to the required standard.  

Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres. 

The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management.  

With smaller providers or Software as a Service products, however, these details may be less explicit, but they will still need to be accounted for.  

Understanding your security responsibility 

In the last three years, the cyber security sector has grown exponentially and consequently, IT and cyber security staff are in short supply.  In-house or outsourced expertise applied to your specific set up is a crucial security factor. Charities can use internal experts, external consultants, and third-party providers, but it is worth noting that a cyber security consultant is often needed in addition to IT support. 

Charities can contact one of the Cyber Essentials Certification Bodies who are located around the UK and Crown Dependencies for cyber security advice. These experts are trained and licensed to certify against Cyber Essentials and can offer consulting services.