Welcome

Massive Ransomware Hits Likely to Hasten Cloud Security Shift

June 4, 2021, 5:16 PM

A spate of recent ransomware attacks on U.S. software, energy, and food industry giants is likely to drive adoption of cloud security technology across sectors.

Use of cloud-based tools in lieu of traditional information technology security may help companies better guard against cybercrime and the reputational and legal risks that accompany such hits, attorneys and industry analysts say.

The cloud security and software market is still under-penetrated but growing each year, as companies recognize the value of protecting systems from weaknesses imposed by remote work and an uptick in hacks, said Mandeep Singh, a technology industry analyst at Bloomberg Intelligence.

The push for cloud technology was already happening during the pandemic, but recent ransomware attacks against companies, including Colonial Pipeline Co. and JBS SA, are likely to accelerate the uptake of those tools, he said.

“There’s going to be a big push to moving IT systems to the cloud,” Singh said. “You’re going to see that really come to fruition over the next two to three years.”

Some companies may take the antiquated view that the cloud isn’t secure or is still nascent and untested, said Christina Gagnier, a technology attorney at Carlton Fields P.A. in Los Angeles.

But in many instances, data may actually be safer in the cloud, she said.

“It’s one of those things where companies say, maybe we’ll update to cloud services, but not this year,” Gagnier said. “With some of these more high-profile attacks I think we’re going to start seeing a push for companies to upgrade their systems.”

Enhancing Security

Cloud computing allows companies to leave the management of physical servers to specialized companies and obviates the need for them to run certain software applications on their own machines.

“The good news about cloud systems is that all the big cloud providers have put a lot of investment into defending infrastructure in the cloud,” said Neil Daswani, co-director of Stanford University’s Advanced Security Certification Program. “They may offer more protection that’s more cost-efficient.”

Economies of scale mean those providers can often offer information technology services and professional support at lower costs, said Howard Boville, the head of IBM’s Hybrid Cloud Platform.

“When you purchase a service from a cloud provider, you’re also buying compliance and cybersecurity benefits from its team,” Boville said. “If you’re a medium-sized company, you can’t necessarily afford to hire those people.”

Large cloud providers such as IBM encrypt data at a high level, providing additional protection, he added.

Companies can use cloud technology to back up files and systems, which can aid companies in getting back on their feet after a ransomware attack that can paralyze access and lock businesses out of their data, said Melissa Krasnow, a partner at VLP Law Group LLP in Minneapolis.

Diversifying data storage, and hosting some data on on-premise servers and other information in the cloud, can also improve resiliency in the event of an attack, Gagnier said. The segmentation of systems and data means that even if one “bucket” of information is hacked, other data sets could remain safe, she said.

Vetting Providers

Still, cloud companies can also be attacked, so businesses need to vet them as they would other third-party vendors by looking at their security posture and track record, Krasnow said.

Businesses looking to partner with cloud providers need to scrutinize contracts and ensure they have a good idea where liability or indemnification could fall in the event of a breach, she added.

“In light of all of these attacks, I think there should and will be a greater awareness among companies negotiating their cloud agreements,” Krasnow said.

It’s important to vet even small details, since data breaches or other incidents can make companies incur large costs, said Kathryn Rattigan, a privacy and cybersecurity attorney at Robinson & Cole LLP in Providence, R.I.

Negotiating indemnification terms with larger cloud providers such as Amazon Web Services, however, can be difficult since they have so much sway in the market, she said. But businesses can and should “shop around” with small- to medium-sized cloud providers to make sure their security posture and contract provisions are up to snuff, Rattigan said.

Making the Switch

An uptick in cyberattacks and an increasingly complex legal and regulatory landscape means companies often want more visibility into how cloud companies employ cybersecurity tools, Boville said.

If they adopt a hybrid model and retain on-site information technology services and data centers, they may seek to replicate the same controls or visibility in the cloud, he said.

“What customers now want is the ability to see cybersecurity controls operating,” Boville said. “They may outsource most of their IT to you but they still want to see that those controls are adhered to.”

Shifting to the cloud may be a heavy lift, especially for legacy companies that have built information technology programs and data centers over decades, Gagnier said. It’s also often expensive to migrate data to the cloud; companies can incur legal, compliance, and implementation costs, she said.

But the vulnerability of on-premise systems and the benefits that accompany cloud security often make the switch, at least for some data or information, a worthwhile one, she said.

“It’s expensive to invest in good security, and there may be policy or procedure changes that accompany it,” Gagnier said. “But ransomware attacks can result in loss of sale and reputational costs—and one option’s definitely cheaper than the other.”

To contact the reporter on this story: Jake Holland in Washington at jholland@bloombergindustry.com

To contact the editors responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in.

Learn more about a Bloomberg Law subscription.