The cloud is very attractive to South African businesses. It provides flexible and agile technology - ideal for companies keen to digitise, automate and innovate. Cloud models inherently use operational funding, creating better cost control and reducing up-front investment risks. Above all, a business can choose what to own and rent: when you use a service such as Office365 or AWS virtual machines, you can own your business data but not the underlying email servers and software, reducing maintenance and skills costs.
"Cloud technology is revolutionary," says Brendan Kotze, Chief Development Officer for cybersecurity company, Performanta. "It makes business strategies more flexible - they can pick what technologies they need on favourable terms, and they can scale up and down as their needs change."
Local, state-owned enterprises, public and private enterprises, and SMMEs flock to the cloud. A 2020 report from cloud vendor Nutanix claims that 88 percent of local enterprises consider hybrid cloud ideal for their organisation. Software giant SAP reports that the local cloud market had doubled in the past three years, with mid-market companies leading the charge. And a 2021 study by World Wide Worx reveals that cloud technologies made an overwhelmingly significant contribution in dealing with the Covid-19 pandemic.
The cloud Security Conundrum
But there is a dark side to cloud computing. As companies switch to cloud systems, they reduce reliance on carefully engineered security systems, says Kotze.
"Traditional security operates like a castle. It has deep moats, high walls, and access is checked at the gates. You distinguished between what was inside and outside your technology castle. Cloud technologies are decentralised - you might have a server at your premises, backups on a cloud server, and your employees use a remote third-party collaboration service such as Slack or Teams. You cannot control that in the same way you used to apply security. It's a very significant risk for companies," says Kotze.
Decentralised technology infrastructure, remote work and increased reliance on user devices create new criminal attack opportunities. Cybercrime activity has surged since 2010 as decentralised technologies take centre stage. The pandemic's shift to hybrid workplaces prompted an additional jump in cyber attacks.
In 2013, the US retailer Target was hacked, compromising around 40 million people's details. In 2021, criminals breached a vendor called Solarwinds, compromising around 100 customers. In the same year, ransomware attacked business operations at the Colonial Pipeline in the US, shutting down energy delivery for most of the country's East Coast. Though not all such hacks are cloud-specific, the decentralised models that underpin cloud technologies have encouraged criminals.
Cloud security: What to know
Companies can secure the cloud in draconian ways. They could force employees and customers to change passwords daily, use multiple firewalls and virtual private networks, and operate on locked-down devices. But such measures have a very negative effect on productivity, says Kotze.
"It's important to strike a balance between cloud security and access. If you don't, you make it much harder for people to do their jobs. You also put an enormous support burden on IT staff who have better things to do with their time and qualifications. And ultimately, you can end up with overly rigid systems and protocols. You might as well get rid of spreadsheets and take up paper ledgers again."
Yet a balance is possible with the proper security practices. Kotze provides the following tips to create effective business cybersecurity:
Zero trust: Zero trust security is a framework that looks at every digital activity with suspicion. Is a user meant to copy that file? Should a specific account log in at unusual times? Just as credit card companies flag suspicious transactions, zero trust security does the same, using automation and artificial intelligence to respond quickly. Every business should look for zero trust features in its security.
Shared responsibility: Security shouldn't be outsourced entirely. A third-party cloud provider cannot take care of all your security needs. Major cloud platforms such as Microsoft Azure and Amazon Web Services have excellent security. But you must still strategise and coordinate your security, preferably with the help of a security executive or manager.
Top-down strategies: Security is a living ecosystem that evolves as business needs change. In a digital economy, business operations and strategy align closely with technology. Security is not exempt and requires guidance through risk, governance, compliance and policy. Such elements have to originate from the highest levels: the board, chief officers and senior management.
Employee inclusion: Train and include employees in security conversations. If not, they can fall prey to criminals through extortion and mimicking trustworthy people. Employees will also find ways around safeguards if the latter stops them from being productive - a phenomenon called Shadow IT i.e.:. employees use unauthorised services, such as sharing files through private Gmail accounts.
Go beyond Audits and Compliance: Meeting compliance requirements, such as the Protection of Personal Information Act (POPIA) or PCI (Payment Card Industry) compliance, reinforce security. But it's not sufficient. Nor does passing an audit. Cybercriminals are motivated and creative. They will exploit any resulting gaps due to the tension of a dynamic workplace and rigid bureaucracy.
Create visibility: Business systems can be complex, utilising multiple vendors and service providers. Monitoring such environments is very cumbersome. It's crucial to consolidate visibility and reporting of different technology components, not to mention cheaper than the millions needed to repair damage from an attack.
Security Partners: Companies can work with security consultants to craft strategies and cost management. They can use managed security service providers: companies that invest in scalable security skills and software. A security partner with a proven track record and references can manage security operations, leaving the business to focus on security strategy.