Fortinet confirmed earlier this week that a threat actor had gained access to an online file repository Fortinet had set up in Microsoft’s cloud, and that the threat actor stole 440GB of data from that repository. It’s still early in the investigation, so there are a lot of details that are still unknown, such as how the data was accessed and whether an employee account was compromised. However, there are still some lessons in this story.
Fortinet is a large cybersecurity organization with a large cybersecurity budget, so how does this apply to small businesses? It’s all about Microsoft’s cloud. Fortinet uses the same Microsoft system that small businesses use. Users might know it as Microsoft 365 or SharePoint or OneDrive or “the cloud” or “the share”, but the bottom line is small businesses pay Microsoft to host files pretty much the same way Fortinet does. Microsoft spends hundreds of millions of dollars each year to secure their cloud so that it is available for those small businesses to use. But that security does not extend to the data that businesses store there (it’s called out in their terms of use!). It’s up to those businesses to make sure that the data is only accessible to their employees and/or the people they want to share it with.
So how does a small business make sure that data in Microsoft’s cloud is secure? These are just a few of the many ways that companies can configure their Microsoft cloud to make it more secure:
- secure employee credentials (which are used to access the data) with multi-factor authentication
- only allow the data to be accessed from company devices
- do not allow the data to be accessed outside the US
- limit how data can be shared with people outside the company
- limit how long data is retained
Putting these configurations into place certainly makes the Microsoft environment more secure, but it can all be undone if an employee unwittingly provides a threat actor with their login credentials. Regular and engaging cybersecurity awareness training should also be part of a company’s strategy to protect its data, whether that data lives in the Microsoft cloud or in the company’s office.
Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips
For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n