February 26, 2020

Managing the double-edged sword of the cloud: Security vs productivity

By Iain Shearman

The growing need for businesses to embrace digital transformation is prompting many firms to adopt a hybrid multi-cloud approach. The cloud offers organisations a multitude of benefits, such as improved efficiency and productivity, all of which can transform various everyday organisational functions.

However, with cloud adoption comes increased risks to security in the form of human errors, security glitches and software bugs that can all have a detrimental effect. If, or in some cases ‘when’, such issues arise, hackers are usually the only ones to benefit.

Putting security concerns to one side, data is the enabler of new technologies and solutions, it’s where critical and actionable business insights are delivered from; and is the key to unlocking innovation and new revenue streams for businesses. As the business landscape becomes increasingly competitive, too, companies are beginning to wake up to the inefficiencies that are costing them time and money.

Therefore, the digital transformation that’s sweeping across many different industries is one that requires rich and quick data to enable organisations and businesses – especially those who are either struggling with productivity or those who have high value assets – to improve operational efficiency.

The technology challenge

Marrying new technology with legacy infrastructures can be a tall order and without the right strategy in place, can create problems that are difficult to repair. In January this year, news broke that Dixons Carphone was fined £500,000 for a huge data breach which revealed the personal names, postcodes, email addresses and failed credit checks of 14 million people, as well as 5.6 million payment card details. It’s the stark reality of the current threat and one that is only set to continue.

It’s irrelevant how big or small the company is, cyberattacks have become so sophisticated in their working that no business is immune. Retail tops the list of the most targeted industry, namely because of the rich pool of data that makes individual consumers identifiable, intertwined with payment data, which users often store for future transactions. Retail also happens to be one of the industries most challenged by the pace of digital change.

It’s a sector that’s never been far from the headlines either. Last year, we saw retailers hit hard, as high end fashion brands Karen Millen, Coast and Jack Wills were all sent into administration; as well as Jamie Oliver’s UK empire of 22 restaurants all forced to close.

Unfortunately, the annus horribilis of the high street is unlikely to be a one-off. The advent of new technologies is causing retailers to re-imagine traditional business models and create new ways to use data to help with growth.

But a data driven transformation is a challenging task. Not only does using more applications expand the attack surface and create more opportunity for bad actors in a cloud world; but the potential for damage, due to a data breach or hack, is also much greater.

Securing your data

Maintaining a solid IT security posture is an ongoing task that requires continuous action and review, and although essential, technology is only a piece of the jigsaw. Cybersecurity is part of a broader approach and requires acceptance that an effective cybersecurity strategy must take an all-embracing approach.

Whether they are small or large, organisations must adopt a less passive attitude to security, becoming more active and, in turn, preventative. It is no longer sufficient to retrofit cybersecurity. Instead, it must be planned for upfront if it is to be effective.

This is what’s called ‘security by design’ rather than ‘by addition’. To offer a broad analogy – when designing a modern office building, you think about access and cabling and power distribution in advance. The option to retrofit is there, but it’s expensive, inefficient, runs the risk of being incomplete and also leaves holes.

Cybersecurity is a mission critical issue, demanding upfront focus that enables clarity about the separation of layers and functions. In a WAN environment, for example, the desired effect is that these reinforce each other, rather than concealing blind spots or creating joints that are a point of weakness where a threat can “fall between the cracks”.

Instilling the right culture is key

The idea of a physical office as a perimeter is now void – many employees now have the option to conduct business from wherever they please and whilst cloud adoption brings a whole host of efficiencies, it also brings a threat to the security of data.

According to Verizon’s 2018 Data Breach Investigations Report, human error is the root cause of close to one in five data breaches and whilst almost three-quarters of attacks are perpetrated from outside an organisation, more than a quarter involve insiders. Employees are often pinpointed as targets to obtain data, which makes the need to educate colleagues on cybersecurity all the more important. Awareness of what an early “phishing” attempt looks like, could prevent a fatal business attack.

An organisation’s security culture requires care and feeding and when a security culture is sustainable, it will transform security from a one-time event into a way of working that will forever generate a return to a business. The reality is that humans, in any business or organisation, are the weakest links and whilst computers – in the most part – will do as we programme them to, humans do not, which makes the need for a security framework even all the more crucial.

For employees, there must be a focus on continued awareness. Security training should not be treated in isolation, instead companies and organisations should commit to regular sessions for their people across all areas of the business – not just in the IT team – to boost confidence and performance. Building a security community that provides connections between people across an organisation will help unify the business against a common problem and wipe out an “us versus them” mentality.

Engaging employees with the reality of a cybersecurity attack will give them a reason to be diligent. An organisation’s security will only ever be as strong as its weakest link and employers must make it their priority to eradicate these gaps.

Read more: Getting to grips with multiple clouds