Get off my cloud
The cloud is safe, often safer than on-premises systems. But this comes with a condition: the cloud isn't impregnable. Nothing is. Cyber crime is growing hand over fist, and its prospects only went up during the pandemic, especially with the rising value of crypto-currencies. As an Interpol cyber crime investigator recently commented on a Microsoft panel, nothing changed for online criminals during the pandemic. They already worked remotely. But now they can exploit the chaos and confusion left in the pandemic's wake.
"We're seeing old mistakes as well as new ones in the market," says Colin Thornton, Turrito Networks' CFO and founder of Dial-A-Nerd. "In general, end-users don't take security seriously enough, so they make the same mistakes while the bad actors have improved their attacks through phishing and malware, for example. The big uptake of new working modes since COVID complicates things. Many companies weren't prepared and the changes weren't systematic. That we can blame on the urgency of the moment. But it still created big gaps for attackers."
Catching up with the bad guys
The average business is not able to fix this problem. Not only do they face a massive task in realigning their IT estates – including security – but they are ironically overwhelmed by solutions.
"In the last year, we've seen major vendors release up to three patches a day! That is too much for most people to track, even administrators," says Thornton, who makes it his business to track issues such as patch releases.
So we can forgive companies for going back to basics, at least how they see basic security. But then box-checking replaces systematic and holistic approaches. Firewalls, anti-virus and encrypted backups become the main defensive barriers. If a business from 15 years ago applied these steps, they'd be sufficient. But modern demands are very different. Specifically, cloud operating models require much more diligence.
"They just see the cloud as an extension of their LAN," says Thornton, talking about companies taking a basic approach. "But what is securing their applications or virtual machines in the cloud? What is securing their users and managing permissions? Any weaknesses in these areas are what the bad actors target. You can play down the importance of security in those areas, but cyber criminals aren't. That's what they are targeting."
Cloud systems need security reinforcement. Even though some of the onus can rest on the cloud providers, the small details that criminals exploit (like internal threats either deliberate or unwittingly) is very much the customer's problem. And yet, they are stuck between a rock of sudden change and the hard place of continual security demands.
Fixing security with services
This conversation may relate to cloud environments, but the cloud is just one dimension of the issue. It adds fuel to an already raging fire – and ignoring the cloud's link to security is a sure-fire way to attract successful breaches. Fortunately, most enterprise-level businesses have been focusing on this for years and smaller businesses are now realising they need to catch up. Software and solution providers haven't been complacent either, and the security market provides some stellar countermeasures. One can go as far as to say that companies already have the means to protect themselves.
"Most organisations have invested in cyber security to some extent, but they often have a wide array of tools they either aren't using at all or haven’t configured appropriately. There are likely several features in their current security systems that can pre-empt or fix so many issues. For example, multi-factor authentication is included in most major platforms these days, but it isn't activated. The solutions are there and sometimes don’t cost anything. Companies just don’t know it."
Organisations often don't have the means or focus to apply security correctly. This is not a slight on their IT teams. Instead, it's their plight: to move multiple mountains with not enough shovels in sight.
The answer is to get extra muscle through managed services (MSPs).
"Security needs a holistic approach, and in a way which doesn’t overwhelm the business," Thornton explains. "An MSP fills in what they need. Unlike outsourcing, where you hand over control of a peripheral requirement in the company, managed services focus on critical areas. They collaborate with the internal teams, advise on correct actions, and generally make things happen across complicated and multi-layered environments. The customer can then use their internal people for other priorities and rely on service level agreements to keep the MSP accountable. Security is a collaborative effort – that's non-negotiable."
The managed services approach, he concludes, can translate into increased value with lower costs, especially if a business has security products not used to full effect. Security might be a lot more complicated, especially once internal environments extend to the cloud, but managed services meet those challenges for cloud expansion and the growing complexity of the digital world.