The recent improvements in computer networking technology coupled with highly efficient storage mechanisms have led to the rise of high-speed connectivity and given organisations and individuals the ability to move large amounts of data / information over the internet to cloud storage.
Cloud computing applications allow users to access a vast array of resources and services on the web. Third-party cloud service providers allow companies to outsource data storage functions and to focus on their core business, instead of spending resources on computer infrastructure and maintenance.
A uniquely South African reason for the rise in cloud computing is to establish a mobile, remotely accessible data pool for companies faced with political uncertainty. A company considering relocating would want to ensure it is able to access its information from anywhere in the world.
With the weakness of the rand, it also becomes difficult to invest in IT assets. Compared to the prohibitive costs of setting up an in-house server room to house client data, the cloud presents a far more attractive option.
This trend for companies to store vital data on the cloud is understandable and, indeed, highly practical. However, it does come with significant risks. These risks should be identified and managed, to ensure the continued effective management of data.
The most significant risk of cloud computing is the security risk. When an organisation contracts a supplier to provide critical services and data storage for them, they are placing the life of their business in their hands. Clients have trusted the company with their data, and they expect it will be managed responsibly.
Unfortunately, small and large businesses seem to take the view that they are passing responsibility for the data storage risks on to the cloud computing vendor. This is often not the case.
With the ubiquity of modern cloud computing, and its concentration in the servers of a handful of large global operators, cloud services provide an attractive target for criminals. The vast amounts of data stored by these services also concentrate risk on one single point of failure.
The key is for companies not to abdicate responsibility for the clients’ data, even when using cloud services to store it.
A first watchword of responsible cloud computing is to deal, first and foremost, with reputable service providers.
One should also engage actively with the provider to determine the measures they take to protect the data they’re entrusted with. It is important that they have disaster recovery plans, and that these be thoroughly and regularly tested by suitably qualified specialists.
Ensure that the company can guarantee, in a service-level agreement, a certain amount of uptime. Once that is agreed, make sure that there is sufficient redundancy on the lines.
There are service providers who can conduct penetration tests to gauge the effectiveness of cybersecurity as well as the integrity of client data and advise accordingly. Companies would be well advised to consider such measures, depending on the risk appetite of their organisation.
To provide assurance around these threats from nation state actors and rogue coders, global cyber leadership collaborations have been set up, affiliated to risk advisory and professional services firms. These teams provide timeous cyber threat intelligence to their clients, based on threat intelligence gathered from:
- Data Breach Investigations
- Network / host active threat monitoring
- Deep/dark web and social media analysis
- Artificial Intelligence and algorithms deployed to monitor threat trends
Specialised cyber security service providers in global audit firms, have sophisticated Artificial Intelligence capabilities to monitor usage trends and to identify and mitigate possible threats well ahead of time.
Such operations are sophisticated teams, comprising staff with defence, IT and risk-management skills. They work out of global security operations control centres (SOC’s) in cities spread across the world like centres in New York, Tel Aviv and London. As and when necessary, Incident Response teams are deployed by these highly professional trained specialists who operate as Computer Emergency Response Team’s out of operational centres referred to as “CERT’s to take immediate and effective real time remedial measures.
Today, data is previous, and what many business models are based on. Organisations should not abdicate responsibility for data that is in their hands. They should remain assertive, define the terms of their relationships with their cloud providers, and with their partners, ensure risks are mitigated as well as possible.
By Graham Crooke is Director, BDO IT Advisory Service