For many South African organisations, the cloud is becoming an indispensable part of the standard operating procedure required for the digital landscape.
And, thanks to the arrival of multinational data centres in the country, more decision-makers are experimenting with transitioning their solutions and data to this online environment, writes Stuart Scanlon, MD of epic ERP.
However, the fundamentals of cyber security should never fall by the wayside.
Irrespective of geographic location and business focus, data is fundamental in the connected environment. With companies increasingly reliant on data analytics to draw insights and customise offerings for customers, and end-users comfortable in sharing their share personal information to get a more tailored experience, safeguarding this asset must be a business priority.
The unfortunate reality is that nobody is safe, and no organisation can afford to assume they will not be targeted. According to the 2018 Cost of a Data Breach Study, the average cost of a data breach globally is more than R56 million. Given the complex regulatory environment when it comes to data protection, businesses can ill afford to only pay lip service to security.
Statistics show that almost a quarter of files in the cloud contain sensitive data. This can range from financial records to business plans. However, it is not saving this information online that is the problem. Instead, how it happens is the cause for concern.
The same research found that sharing sensitive data with an open, public link has increased 23% over the past two years. While this can be attributed to the growing consumerisation of technology to a certain extent (and people getting more comfortable in saving personal information online), companies must do more to educate users on the risks associated with this.
Even more concerning is how many businesses lack this education themselves. They (wrongly) assume that just because data is saved on the cloud, it is done so securely with no danger of being compromised.
The reality is that, while the service provider takes responsibility for the data once it reaches their servers, the path the data takes to get there puts the onus firmly on the organisation. This shared responsibility model is critical to navigating the challenges when it comes to cyber security in the cloud.
The potential for compromise when using the public cloud is simply too great. Instead, companies must investigate the opportunities that private and hybrid cloud solutions provide while still ensuring sensitive data is kept safe.
Going the private or hybrid route provides a range of benefits for decision-makes. These offerings typically deliver automated, real-time, and exception-based options for organisations to carefully manage sensitive data.
Furthermore, the ability to validate transactional and input data at the source (depending on the provider and solution used) empowers businesses to not only improve their speed to market, but also reduce the strain on administrative staff.
According to Gartner, the biggest problem is not in the security of the cloud but rather in the polices and technologies for security and control of the technology. One of its most concerning statistics is that by 2022, expectations are that at least 95% of cloud security failures will be the fault of the organisation and not the service provider itself.
Some of these failures can link back to preventable errors such as clicking on malicious links or misconfiguring servers and network devices. In fact, what has been classified as ‘inadvertent insiders’ (employees who unwittingly cause security incidents through negligent actions) accounted for nearly two-thirds of all data records that were compromised in 2017.
The human element
So, with human error being one of the most notable contributors to a lack of security, organisations must assess how it approaches internal user education and what ticks and balances it puts in place to monitor the success (or failures) of these campaigns.
Worldwide, most organisations admit that traditional security solutions do not work in cloud environments. They cite protecting against data loss and leakage, threats to data privacy, and breaches of confidentiality are the three most prominent risk vectors facing them.
Clearly, anti-virus and firewall solutions are not comprehensive enough to protect against these threats. Instead, a more integrated cyber security approach should be followed that encompass all likely attack points into the organisation. Moreover, the way the company engages with its data on the cloud must be closely scrutinised and be made more secure.
In this regard, everything from educating employees, encrypting data, implementing multi-factor authentication, limiting access control, testing security measures, and other elements must be considered indispensable to a more unified cyber security mindset.
By taking the time to assess and strategise the most effective protection measures for data, organisations will be able to mitigate against some of the risks inherent to data in the modern age. To do any less, would be to be left open for attacks that can potentially result in the business having to close its doors.