I would warn any CISO who is considering cloud in their future to make sure that never happens to them, and that is a contractual thing in the service level agreement.
What other suggestions do you have for companies?
Set an email retention policy and don't store your entire email archive in the cloud. You can store it locally somewhere in the corporate environment, so you can still access it for doing your daily work, looking up data as well as for e-discovery purposes, but it shouldn't be stored in an accessible location out in the cloud.
Second, enable two-factor authentication. Anything that requires a log-in should be enabled for two-factor authentication. If I had enabled two-factor authentication for Google apps that I had HBGary subscribed to, then these hackers from Anonymous would not have been able to log in.
It was a newly available option, but we hadn't enabled it. The cost of two-factor authentication is significantly lower today than it has been in the past. It doesn't cost much, so anybody using the cloud should enable two factor, it it's an option. If they have any services on the road, such as sales people or technical people, they should have two-factor authentication.
Another thing they should do is configure IP restriction on any administration of the site. So, you should only have one administrator account and it should be IP restricted to a single location. And then if you have a compromise, you don't have to worry about someone getting access to the administrative parts of the cloud services.
Sign up for Computerworld eNewsletters.