High-profile cybersecurity breaches are increasingly in the news, a prime example being the NHS incident of May 2017 when services were brought to a standstill for several days though cancelled appointments and operations, at great financial and individual cost. You’d expect the desire to avoid unnecessary financial losses/liabilities and negative publicity would motivate organizations to implement appropriate cybersecurity systems in a world driven by tech and increased dependency on IoT and the cloud. Surprisingly, though, digital security is often very much a secondary consideration. A recent cybersecurity report carried out by ESG, revealed that participating security professionals believed their existing tools to be inadequate for safeguarding critical cloud data, even though their employers continued to invest heavily and with increasing speed, in cloud applications.
The same report divulged that 39% of respondents would only consider on-premises systems in exceptional circumstances. Additionally, more than half of those questioned expected around half of their data to be moved to the cloud over a 12-month timeframe and that a significant proportion of said data would be sensitive. Considering that cloud-first strategies are gaining momentum because of the numerous benefits they offer, it is somewhat alarming that over two thirds of those surveyed stated that they lacked the tools within the cloud to safeguard sensitive company information. With IoT and interconnectivity becoming increasingly the norm, it begs the question as to why are so many cybersecurity systems/practices not fit for purpose?
There’s no denying that pandemic has accelerated the transition to the cloud, with businesses scrambling to quickly collate the necessary IT infrastructure to support home working without considering the security aspects. Many facilities managers are still of the mindset that enabling remote working is just a case of issuing login details with little understanding of the security risks associated with home broadband equipment or the vast range of personal devices being used. What’s even more astonishing is that some believe that implementing multiple security layers slows down performance and hinders innovation on account of over complex procedures. Cybercriminals have been quick to capitalise this naivety and the daily number of cyberattacks have skyrocketed since the outbreak of COVID-19.
Companies with modest IoT deployments often don’t factor-in security unless they’re specifically requested to do so, because many of their end customers believe it to be overkill because of perceived costs versus perceived risk. These short-sighted attitudes are somewhat baffling in a digital world because if cybersecurity is left unchecked, not only will it impact a business’s ability to trade, associated liability costs can run into millions.
While most localised IT systems have a dedicated IT security team to safeguard a company’s valuable assets, different requirements come into play when protecting assets stored in the cloud. The two biggest considerations are firewalls and data encryption. Firewalls are essential because bots and hackers will easily identify weaknesses and take advantage. Encryption is needed because in the event of a security breach, the data cannot be compromised quite so easily. It is also essential to have a carefully designed architecture to mitigate the risk of a security breach in the first place. More specifically:
• Include partitioning – with different levels of access control
• Enable traceability – so an audit trail can be quickly generated in the event of an incident Apply multilayer security – for enhanced protection and to mitigate weak spots
• Introduce proactive monitoring – so potential threats can be swiftly dealt with
• Automate manual processes to remove the risk of mishandling or modification Implement incident management and investigation policy and processes that align to your organizational requirements.
Far too many businesses, particularly smaller ones, are of the mindset that migrating their IT systems to the cloud, where all data security matters are taken care of on your behalf, will cause unnecessary upheaval compared to the perceived risks. Others are fearful about losing control, while some are simply too overwhelmed by the prospect of change or lack the support of colleagues to make that change.
These views are somewhat naive if not dangerous because cloud companies like Amazon Web Services and other public cloud providers have invested millions in building robust cybersecurity infrastructures to protect their customers’ data, accounts, and workloads from unauthorized access whilst enabling them to operate more efficiently and cost effectively.
Cybercriminals are becoming more sophisticated all the time, so regarding cyber security as a “bolt-on” to an existing system no longer cuts the mustard. The world is reliant on digitization and IoT and automation are gaining momentum so businesses deciding to ignore data security will be doing so at their own peril.
By Jonathan Custance
