A recent attack on a HR & payroll provider’s cloud-based systems should serve as a stark reminder for all businesses to review the security processes of not just their own business, but their supply chain too, according to Crown Workforce Management’s Technology Director, Harish Rao, who has outlined an essential checklist for businesses to follow to ensure their data is secure.
Cyber criminals are increasingly favouring carrying out attacks on businesses via their supply chain, rather than on the business directly. This is because they perceive it as more impactful from their perspective and also because it is more disruptive, as it takes more time for the end users to detect how and where the attack happened.
The cyber attack on payroll service provider Zellis is a perfect example of this, whereby cyber criminals allegedly exploited an ongoing vulnerability in the file transfer software they used – causing issues for big name brands that saw private employee data compromised.
It’s important to reiterate that a data breach may take some time for the victim to realise, therefore exposing them to maximum levels of harm, in which case prevention is always better than cure.
Therefore, it is imperative that businesses undertake a set of preventative measures.
These include:
The digital cloud is an imperative for any 
business that wants to future-proof itself, and it is important to remember that any cloud platform can only trusted to be secure if it is properly accredited. Microsoft Azure, Amazon AWS, and Google GCP are the three leading cloud providers with accreditation and support for secure installations, and it is safer to stick to one of these three.
When a provider of software services, such as ourselves, promises a cloud service you need to question: Which cloud platform? Where is the data stored? How and what are its accreditations? Can it be independently audited? Is it approved by the Government?
When procuring a cloud service, it is not just about storage, processing and transfer of data, but also putting in place security systems and measures to protect it against hacking, malware, and ransomware attacks. Such protection is an integral part of Crown’s managed cloud service, and we can do this because we use only trusted cloud services – such as Microsoft Azure which has been verifiably accredited to comply with global and regional standards and regulations.
Our cloud installations include protective technologies and monitoring, and are constantly thwarting thousands of attack attempts round the clock by hackers and bots. This highlights how vulnerable companies’ physical servers would be if they were exposed to the internet.
Crown is committed to delivering its services and solutions with highly protected customer data, and it has recently celebrated 30 consecutive years of passing annual Industry Standard Organisation (ISO) audit inspections relating to how the business keeps its information secure and the quality of the processes it follows.
At Crown, we also open for our services to be independently penetration tested by customers and their accredited testing agency partners. It is recommended that businesses assure themselves of the auditability and vulnerability assessments of services offered by other service providers that include sensitive data.
The next step is to clarify with your IT providers if your business’ data can be compromised in any way by other third parties that they are associated with – as was the case with the attack on Zellis.
This is called supply chain mapping, and is a crucial exercise that should be carried out at the earliest opportunity to gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with service providers. Guidance for Supply Chain Mapping is available from
Mapping your supply chain - NCSC.GOV.UK.
Companies that are about to migrate physical servers onto digital platforms – or have not considered the security element of hosting their servers online – need to consult with a cyber security expert.
Using the internet to transfer data and transactions between physical servers and cloud-based services needs to be carefully engineered with protection offered by modern encryption technologies as well as firewalls.
“Man-in-the-middle” attacks are also a concern, whereby bad actors and spurious websites pose as someone from a reputable cloud platform when a business is trying to connect to transfer or access their data. They can steal enough information in transit to develop attacks that would be hard to detect.
However, if the internet-based interface and storage is designed properly with expert inputs, cloud-based data is actually much safer and more resilient than on-premise storage where it could be more easily compromised.
While this isn’t something we want to think about, it is possible that attacks can originate internally from employees themselves – especially if they become disgruntled with their employer or have their credentials stolen.
To guard against this, it is best to limit access to sensitive data to limited groups of individuals, and to use robust authentication systems with biometric and 2-factor authentication. Such systems should allow user access to be rapidly withdrawn if required to limit potential damage.
And remember - if a business becomes victim of a data breach, it should immediately notify relevant authorities such as the Information Commissioner’s Office and its partners in the supply chain.
