The mass adoption of cloud services and the pressure to consolidate vendors along with the tightening of budgets due to the ongoing COVID pandemic is creating the risk of security monocultures that could put organisations at greater risk.

By Brian Pinnock, cybersecurity specialist at Mimecast

Security professionals have for a long time warned about the dangers of organisations putting all their ‘eggs’ – email, data, collaboration systems – in one ‘basket’, for example by going all-in with one cloud service provider.

What’s happening now with the urgent shift to greater cloud services adoption, is that many organisations are considering putting all their eggs into the same basket as everyone else.]

The maths is simple: if data is the new gold, and the majority of companies are on the same cloud platform – such as Microsoft 365 (M365) or Zoom – that platform becomes a veritable ‘goldmine’ for threat actors.

The view is that threat actors would have an easier time bypassing an organisation’s defences if they relied on a single provider: all they’d have to do is understand that provider’s security measures, and deploy tools and tactics to circumvent such measures.

Security concerns are also only one dimension to this threat. Cloud services downtime could become a national systemic risk if all organisations are fully reliant on a single platform.

Unplanned outages leave organisations stranded

As the global backbone of business communication and productivity, any downtime for M365 could potentially pose a systemic risk.

An interruption in critical infrastructure or downtime at key government departments that rely on M365 could reduce the state’s capacity to deliver services to citizens. This would be disastrous in a country where millions rely on state support – especially during a pandemic.

And the systemic risk could spread beyond national borders and into global supply chains if all organisations in the chain are subject to the same security vulnerabilities and availability risks.

It doesn’t help that downtime for M365 isn’t uncommon. A new Mimecast study found that South African IT decision-makers report an average of 3.2 business email outages per year, rising to 3.8 in the public sector.

The most common consequences of downtime among South African organisations include reduced productivity (59%), inability to provide services to customers (47%) and loss of production time (44%).

The business world can’t live without productivity tools and cloud services. They’ve helped keep many economies afloat by allowing organisations to continue operating in remote environments. But an hour or two of downtime for any of these essential tools and everything grinds to a halt.

Spreading your risk

And that’s part of the point: larger cloud services players offer good security and business continuity offerings, in some cases even exceeding the security controls found at many on-premise data centres.

However, placing all your eggs into the one basket means you’re left in the lurch when things go wrong – as they inevitably do. And when collaboration and productivity platforms add on security features, buyers assume they provide all the necessary security measures and a third-party supplier isn’t necessary.

To compensate for any weaknesses and create more secure and resilient cloud environments, organisations should seek the proven strategy of defence-in-depth (DiD).

DiD is a layered approach to cybersecurity that combines third-party solutions with built-in security components offered by the cloud provider, to fill gaps and compensate for end-user errors.

The goal is that, when one defence fails another steps in. Organisations are taking notice: in our latest research, 95% of IT decision-makers in South Africa said they use third-party solutions to secure their business email against cyberattack.

Without layered security, organisations are left vulnerable to advanced cyberattacks and potential loss of important company information. Additionally, without implementing appropriate and reasonable organisational and technical measures, such as a solid DiD strategy, they may not comply with data protection regulations such as the Protection of Personal Information Act (POPIA).

In fact, Mimecast’s research found that only two in five organisations believed their business email systems are fully POPIA-compliant.

Adding depth to defences

An effective Defence-in-Depth strategy should include additional security controls to complement the first line of defence. Anti-malware can protect users against viruses and other forms of malware, but it’s been proven that no single vendor is able to block everything and other layers of protection are needed.

Additionally, security controls should be supplemented with regular, effective and measurable cybersecurity awareness training that extends beyond the traditional, boring compliance videos and fake phishing tests.

Organisations also need to ensure email continuity by deploying tools that provide real-time access to email during service outages.

Finally, IT leaders should look at their infrastructure in the same way as an organisation would diversify its investments. Astute investors shy away from putting all their investments into one place, for example the stock market. Diversity strengthens their portfolio and minimises the risk of one or more investments not delivering.

If you rely entirely on a single cloud provider, you remain at the mercy of their engineers and support teams to fix underlying issues with the services. Diversifying your investment into your cloud services helps create greater resilience and protects organisations against unwanted disruption.

Email is the number one attack vector. Can you risk protecting it with a single vendor? Organisations should take extra security measures to protect email as a single ransomware, malware or other cyberattack could cripple an entire organisation.