Mitigating cyber risks in the Cloud

risks

Eighty-six per cent of cloud-based organisations said the platform helped them adhere to government regulations, according to an Epicor industry insight report.

Escalating security risks and high-profile ransomware attacks are driving up the concern of executives and boards. Are you prepared, and do you have the resources to manage your risk? Epicor’s regional Vice President Greg O’Loan asks the big questions.  

In March this year a cyber-attack disrupted live broadcasts on one of Australia’s national television networks.  

In April, an attack forced the operator of four hospitals in Melbourne’s east to postpone some elective surgeries, and soon after several Queensland health service providers had to process patients manually when another attack brought down IT systems.  

Then, in May, a cyber-attack forced the shutdown of a pipeline that carries 45 per cent of the US East Coast’s supply of diesel, petrol, and jet fuel.  

Even in the last few weeks we’re seeing attacks delivered through text messages with a link to a voicemail, camouflaged as a means to get victims to download a malicious app. First reported to the Australian Cyber Security Centre on August 4, the ‘Flubot’ malware operates under the disguise of targeting those waiting for COVID tests and vaccination appointments.  

Suddenly, cyber-attacks were having major consequences for well-defended organisations and causing significant disruption to people’s lives.  

And there is no sign that cyber criminals will stop their onslaught any time soon.  

The simple truth for most business leaders is that managing cyber security is not their organisation’s core business focus. But for cyber criminals, finding holes in their defence is their only business.  

Rapid response  

The IT industry evolves quickly, and so too do the techniques used by cyber criminals.  

And as we’re all asking questions regarding risk, they need to be asked and answered to the satisfaction of the most senior leaders in the organisation.  

Right now this question is especially relevant for leaders of organisations that will fall under the proposed revisions to the Australian Security of Critical Infrastructure (SOCI) Act 2018, which significantly expands the definition of those industries considered critical and introduces new cyber defence obligations for them.  

Leaders should pay particular heed to the introduction of a Positive Security Obligation (PSO) relating to how they manage the security and resilience of critical infrastructure assets, and to the need to take an all-hazards approach to identifying and mitigating material risks.  

That means truly understanding the risks involved in their infrastructure and the investments they have made to protect it, including those risks endemic to the providers they work with.  

With this in mind, the Epicor Industry Insights Report 2021 found that 86 per cent of respondents, whose organisations were mostly on cloud, said cloud solutions helped them adhere to government data regulations.  

Cloud security landscape  

Business leaders have no shortage of options for how they can spend their cyber defence budgets. Increasingly, they are making a choice that not only boosts their defences, but that also delivers new business capabilities.  

According to our Industry Insights Report 2021, of the 1250 industry decision makers surveyed, 94 per cent declared an interest in cloud-based solutions over the next twelve months.  

This was a massive change from the 25 per cent who stated cloud was a strategic priority a year earlier and has been driven by the need for enhanced agility brought on by the shifting landscape, and further fuelled by the growing cyber threat.  

According to the report, decision makers regarded the cloud highly for the attributes of adaptability, futureproofing, partnership, and security.  

This last point was reinforced by the 90 per cent of respondents who believed data was safer in cloud-based solutions – a particularly important consideration for the growing number of organisations that are investing in Big Data.  

Cyber security steps  

The single biggest threat to an organisation’s IT security is the growing number of phishing attacks experienced globally and locally. The level of sophistication administered through these attacks are getting more subtle and clever, even the most security-aware organisation can fall victim. Alongside training and upskilling the entire workforce on how best to identify a threat, having strong cloud based systems in place can dwarf the current security systems of most legacy on-premise security systems.  

Cloud based security not only provides superior protection for cyber security, it also frees up time for in-house IT experts to focus on business processes and efficiencies to enable the organisation to grow revenue and improve margins.  

To best deliver your organisation’s business objectives, we recommend that you first review your approach to risk management and then work though the following processes:  

  1. Risk management: take a risk-based approach to securing your data and systems  
  2. Engagement and training: collaboratively build security that works for people in your organisation  
  3. Asset management: know what data and systems you have and what business needs they support  
  4. Architecture and configuration: design, build, maintain, and manage systems securely  
  5. Vulnerability management: keep your systems protected throughout their lifecycle  
  6. Identify and access management: control who and what can access your systems and data  
  7. Data security: protect data where it is vulnerable  
  8. Logging and monitoring: design your systems to be able to detect and investigate incidents  
  9. Incident management: plan your response to cyber incident in advance 
  10. Supply chain security: collaborate with your suppliers and partners  

Cloud security advantages  

While the cloud is not a panacea for cyber woes, it offers a range of advantages that weigh heavily in its favour.  

For starters, the money that hyperscale cloud service providers devote to securing their systems far outstrips the spend of all but the largest organisations and government agencies.  

Australian government security and policing agencies now acknowledge the security of the cloud, with many services assessed against the Information Security Registered Assessors Program (IRAP) as suitable for hosting data classified as PROTECTED.  

Most cloud services in Australia have also solved data residency concerns by opening onshore data centres, allowing them to provide certainty that data will never leave the country.  

Another advantage of cloud hosted software is that when users are dealing directly with the software’s provider, they can be assured the version they are using is the most up-to-date available – and hence fully patched and secured.  

At Epicor, we offer customers the flexibility to choose between on-premises and cloud-based implementations. We know that many customers have the maturity to properly secure their systems and have strong commercial and regulatory reasons for wanting to keep their data close at hand.  

As the report shows, leaders who have taken their businesses to the cloud are future proofing their business in two ways, by bolstering its defences from short term cyber threats, while giving it long-term flexibility.