Another high value cyber attack has hit the news recently. This time it is the payroll arm of the HR platform "Kronos", a system used by several US city governments as well as several large corporations such as Tesla's operations arm in the US and the supermarket Sainsbury's in the UK. The part of the platform that has been attacked sits entirely within Kronos' private cloud environment, other parts of the business' applications are hosted outside of this area and as such remain unaffected (for now!).
The full effect of the breech is as yet unknow but UKG Kronos (the parent company of the platform's developers has already taken steps to inform their larger clients and those it knows have been compromised. The immediate issue that employees of the entities that use Kronos' payroll platform is that there are a sizeable number of them who have not been paid for previous periods and even the best experts are unable to give an accurate timeframe for service to resume. Kronos have since urged its clients to initiate business continuity protocols to ensure staff are paid.
This raises a very big question; "Is your data safer in a software provider's private cloud environment or a more well known provider such as Microsoft Azure (Azure) or Amazon Web Services (AWS)?"
On the one hand, services that use their own private cloud environment may mean that it is easier to "know" where your data is - albeit virtually in the cloud rather than on disks or tapes. This can be appealing to the more security conscious with less experience of cloud computing as it is a lot close to what they may be familiar with. The major downside, as UKG Kronos have found out, is that targeted ransomware attacks are significantly more likely.
Alternatively, with Azure or AWS you get the benefit of far greater spending on security and these attacks are deemed less profitable to the people who are trying to exploit the vulnerabilities due to the effort taken to potentially gain from their work. The downside here is that your data is stored next to everyone else's data that uses the platform so there potentially needs to be a level of internal education with IT departments and Information Security teams before these kinds of solutions are viable for your business.
Every time a new provider is onboarded by your business it is important to ask a few key questions of either yourself or them;
- What kind of data is being stored in/on the platform? - If it is largely sensitive information like names and addresses, do you want to risk that information being out of your business' control?
- Is the solution the provider has the cheapest/easiest option for them? If they are making security decisions based solely on a P&L, how much do they care about your data? This isn't to say the cheapest options isn't the best, only that it is worth considering why they have chosen the route they have gone down. In my experience, any good provider will cherish the opportunity to discuss these things with you - it shows you care as much as they do.
- IF there is an issue like the one discussed here, what impact will it have on you and your business? The cost may be both financial and reputational in some instances and you need to be totally comfortable with how you will deal with issues that arise.
- How good are your business continuity protocols? If things go wrong, are you already equipped to roll out a solution to ensure your staff don't suffer? If you aren't, will your new provider help you prepare?
I don't think there is a right or wrong answer to any of these and each business has to do whatever is best for it and its staff, but I would say that attacks like the Kronos ransomware one serve as a fantastic reminder that we should all be questioning security with every decision that is made when it comes to data storage and security.
Our providers make the best decisions for them as businesses and we need to be doing the same.