When IT incidents through a cyber attack are a fact, your crisis scenarios, which are hopefully already in place, are tested in their entirety. Unfortunately, the incident can be a sad awakening about how different security processes have been handled and instead of a minor incident, a major disaster is more or less a fact.
There have been several major incidents, or attacks, in Sweden recently,
Whoever received a lot of media space is the so-called ransomware attack that hit many companies and authorities via their service provider very recently.
That attack was (likely) directed by a Russian hacker network, and for several companies and organizations, the attack resulted in devastating consequences. For many of those affected, hard internal work is still going on to get back on their feet, but unfortunately, it looks like large values and a lot of data may have been lost. It will be some time before it becomes fully clear and public about what caused it to go so wrong. Maybe for security reasons, it will never be revealed. It is clear, however, that somewhere there has been a breach in security.
More than 200 million attacks take place in a year around the world. From that perspective, we are more or less under constant attack and it is time to take it seriously and deal with it. With the right efforts, you can steer away from the worst scenarios, such as not being able to pay salaries to your employees because the HR and payroll systems are down, and all backups are infected.
We at Heartpace often face the question of storage space and why we have chosen a cloud service provider that does not have Swedish or Nordic owners. It is often stated that our provider, Amazon AWS, like Google and Microsoft, has American owners and is therefore perceived as insecure. I object that the security perspective has been decisive in our choice of supplier, and the ones mentioned are the ones who today handle it best. Why not choose them?
Big is beautiful – yes, because it is, size counts when it comes to safety.
Let me give you an example;
Amazon AWS has many data centers around the world, only in Europe do they have eight main centers divided into 24 so-called Availability Zones, which makes them the largest provider of storage services, not only in Europe but in the world. More data centers are also in the works. Together with Google and Microsoft, they manage more than 65% of the total market for storage services.
What is unique for e.g. Amazon AWS is that data centers do not mean a physical location, but instead refer to a geographical zone that contains several physical data centers. In practice, this means that data never needs to be stored in the same place, and including all backups, they can be stored physically far from the application itself, even in different countries. For example, we at Heartpace always separate our operational data from backups by placing them in different zones and in different European countries. It is difficult, if not impossible if you work with a local supplier because very few can offer youthis one solution. That is the stark truth.
In addition to being able to provide a network of physical storage locations, a complex infrastructure of various security applications is also offered, the purpose of which is to automate the protection of all your data. Amazon AWS, for example, has automatic mirroring of all data within a zone and, in addition to that, you have the option of creating ongoing backups several times every day, of which a series of them are so-called “immutable”, a technical term that means they cannot be changed or updated but only read. Through their architecture, you are also protected against such overload attacks which have been current during the year as their distributed architecture can catch such attacks.
In the debate about the risks surrounding possible data transfer to the USA, my view is that to a certain extent you “Sift mosquitoes and swallow camels”. Moving all your data locally and thinking it’s more secure is asking to lose all your data to Russian hackers in the next attack, because what is suddenly so much more secure? A vision that what is close and local is better and safer? Alas, that time is long gone. There is no local supplier that can surpass the capacity of the major players. And if you don’t have a large IT department yourself with the right skills that can measure up to those of the big companies, then you’re on the safe side when it comes to security. It will be a matter of time before it fails.
Since last summer, there has been an agreement between the EU and the US on secure data transfer, the so-called Trans Atlantic Privacy Framework, which has cleared up many questions about the ownership of the major suppliers. But despite the agreement, the topic still needs to be removed from the agenda of the debate, as it is already being questioned by organizations such as NOYB. I guess that there will be appeals if there haven’t already been. If I keep divination in the glass ball, I am quite convinced that all dealings between the EU and the US will be resolved. Anything else would be unwise at the moment, regarding the costs and the security threat, which the alternative would be if a solution was not put in place.
But it’s not just about storage space. Your cloud service technology and storage provider is responsible for the security around it, but the software provider and you are responsible for permissions. You can say that the supplier is responsible for the cloud, while the software provider and you are responsible for what’s happening in the cloud.
Your responsibility is, in the first step, about choosing a supplier
And then about how you manage your authorizations. In comparison, one could say that it does not matter how burglar-proof your house is if someone then gives out a key, or an access card, to an unauthorized person with dark intentions. It is thus about having security layers on top of security layers that work together.
Regarding security in the cloud, the supplier of e.g. a Payroll or HR system, Heartpace in our case, participates, which is a party in the total infrastructure. We use a large part of the technical arsenal provided by Amazon AWS so that it becomes an integral part of our delivery, and strictly follow their recommendations regarding security. In addition to that, we are certified in ISO 27001:2022 (the latest certificate) to include all processes related to secure data management.
There are no guarantees but there are good measures and steps to help you increase your security. You can read about some tips below.
- Make sure to regularly review your procedures with your suppliers. Technology is developing at a breakneck pace and hackers have access to the latest. You must have that too.
- Always choose certified IT providers, they show that they take security seriously. Check the supplier’s certificate including the sub-processor’s certificate. They interact.
- Certify yourself in one of the recognized security certificates such as ISO27001, SOC2, etc. It is admittedly a big investment, but profitable in the long term. At the least, implement security policies and make them known to the employees.
- Check how your system backups for all systems that handle data are managed and that they cannot be compromised. Check that restoring a backup works. A common mistake is that backups are never tested.
- Who has access to the highest authorization level, is it at a “need to have or nice to have” level? Do you have an active way of thinking about IAM, Identity Access Management?
- What does a simple thing like your password policy look like, do you renew all of these every quarter and do you use 2-factor authentication on all your logins? Do you have a system to check compliance? If not, start now!
- Do you train your employees in safety? A chain is never stronger than the weakest link. In this case as strong as the employees in a security mindset. We use, for example, Junglemap, for ongoing micro-learning—year-round, and add other trainings on top.
- Do you have well-thought-out incident scenarios, i.e. knowledge of which people should act in the event of an incident, and how they should act? Whether they have been organized in agenda and minuted meetings is also a question in connection with scenario management.
Unfortunately, most people act far too late and miss the preparations. It is similar to the situation of getting a burglar alarm when the damage has already been done. It is important to understand that with the right preventive work, you can deflect an IT attack so that it becomes a minor incident instead of a major disaster. It is time for us to decide to become “best in class!”
For more knowledge on the subject, I recommend the links I added below
Henrik Dannert
CEO
Interesting links:
Here you can read brief information about the Trans Atlantic Privacy Famework.
Deloitte | Amazon AWS – Ransomware Resilience on Amazon Web Services. A blog about how well organized the technical work can be if you think and do it right.
Siemens handles 60,000 cyber threats / second. Read about how they have built their security. Of course, a smaller company does not have the opportunity to use all these resources, but you can learn from how they address threats.
https://aws.amazon.com/solutions/case-studies/siemens-cybersecurity/
Sentor helps, among others, Piteå Municipality in their security work. They took a strong hold on their security after the IT incident that Kalix Municipality suffered a few years ago. They carry out so-called Red Team Testing, where systems are exposed to attacks for preventive purposes. Read more here.
Noyb – an organization that is mentioned in the text and that runs European privacy activism and has, among other things, pushed forward Schremsdomar etc. The intention is good, in my opinion, but good purpose and good outcome are not always the same thing.
https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu
Junglemap – online learning in safety through so-called nudging.
Want to discover more?
Book a demo of Heartpace here!
Want to keep updated?
Subscribe to our blog posts, news and webinars here. We promise that we won’t overwhelm you with emails, nor will we never ever give your email address to anyone else!
