Richard Blanford of Fordway demonstrates why risks to data also represent a risk to the business in this guest spotlight.
Whether a business realises it or not, it manages risk on a daily basis. Across the spread of business activity there will be real or potential exposure to many different types of risk. Changes within the business or circumstances outside its control can affect their relative importance. While a 2018 risk register might have contained mention of a global pandemic affecting everyday operations, this might not have been considered a risk of high importance at that time. As businesses embrace digital transformation and use its power across more and more functions, they should pay conscious attention to risks associated with the management and security of their data.
The Pandemic Has Exposed Businesses to Risk
The Covid-19 pandemic has been an eye-opener for businesses in many ways. It has shown they can respond quickly to the challenge of providing a new way of working, supporting home working on a large scale, often never having done so to such a level before. For many, facilitating home working has required a move to the cloud, either for the first time or as a consolidation of a formerly hybrid mix of on premise and cloud.
The pandemic has also created opportunities for bad actors. The UK Government’s Cyber Security Breaches Survey 2021 found that 39% of businesses reported a security breach or attack in the last 12 months, and of these 27% said they experienced attacks at least once a week. The survey also noted that fewer businesses are deploying security monitoring tools than in 2020 (35% in 2021, 40% in 2020), fewer undertake any form of user monitoring (32% in 2021, 38% in 2020), and fewer have up to date malware protection, (83% vs 88%).
This suggests that in the rush to support home working, many businesses may have consigned risks associated with data security to the back seat, or at least reduced its priority status. Now, as we enter a new phase, with a hybrid work structure being adopted by many as standard working practice, data security risk management needs to be given increased priority. It is clear that information security risks are business risks, and should be reported to the board, whose role it is to manage and agree action as part of corporate governance, rather than leaving this task solely to the IT team.
What Kind of Cloud, What Kind of Risk?
Not all businesses will value their data equally. Those for whom data is core, or who protect critical assets and services, will value it more highly than those for whom it is not. Ultimately it is for the board to decide the importance assigned to different types of risk, and what mitigating action should be taken. But three things are crucial in evaluating and mitigating the risks associated with data in general and cloud-stored data in particular.
Firstly, every business creates, uses and needs data to some extent, even where the data itself is not viewed as a core business asset. Second, data moves. It may be stored in the cloud for some of the time, but it moves. It is accessed, drawn down to local machines, manipulated and shared. While cloud providers might take responsibility for data security while they hold it, they do not have any responsibility for it while it is in transit, in a business’s local network, being used, being emailed.
Third, different kinds of cloud provision give different types of data protection. A Software-as-a-Service (SaaS) provider should offer disaster recovery services, but this may not include data recovery. Office 365 is a case in point. While Microsoft accepts responsibility for its own software, it does not offer a guaranteed data backup and recovery service should Office 365 fail and lose customer data. Looking after data is the responsibility of the service user. Platform-as-a-Service (PaaS) providers should provide recovery for the platform itself, but any code, services or applications running on it, or data accessed by it are the customer’s responsibility. Infrastructure-as-a-Service (IaaS) providers give access to infrastructure, but their customers need to configure and manage resilience, back up and disaster recovery of the services. While providers might make tools for this available, customers have to do the implementation, testing, operational management and maintenance themselves.
The bottom line is that a business’s data remains its responsibility, wherever it happens to reside, and the business should recognise this and act responsibly to secure its data.
Ultimately it is for the board to decide the importance assigned to different types of risk, and what mitigating action should be taken.
Letting Managed Service Providers Take the Strain
And yet the task of putting robust security and disaster recovery systems in place and keeping one step ahead of the bad actors can be challenging if it is handled in-house, particularly for mid-sized organisations which can’t afford dedicated specialist staff for IT security, or to provide true 24 x 7 support for their operations. Attacks can come from many different directions, and aside from trying to keep on top of all of them, in house tech teams are often tasked with a myriad of jobs including new application and service development, helpdesk provision, and systems updating. Patching and security management can come low down their agendas, backup processes can be piecemeal, fragmented and irregularly implemented, and disaster recovery planning can get de-prioritised.
This is where managed services providers come into their own. Instead of having to recruit, build and manage these capabilities in house, they can provide 24/7 cover and specialist capability to take care of infrastructure, platforms, applications and data, by sharing these expensive and scarce skills across multiple customers. Services available can include managing an organisation’s backup and recovery, plus maintaining and being responsible for IT service continuity management – which in lay terms is disaster recovery. They will provide skills across multiple platforms, and will help with an organisation’s public cloud strategy, by providing advice, support and consultancy.
For mid-sized businesses, achieving in house what a managed services provider can achieve often requires higher ongoing expense, not least because of the need to invest in expertise and staffing levels as well as buying technology services. As a risk management strategy the most data intensive organisations might consider the investment worthwhile, but for many it will be a big ask. Managed services providers are often less expensive and, except for those organisations which truly prioritise and invest in the in-house option, more effective too.
When a board is prioritising the many risks in front of it, and weighing up the pros and cons of different approaches to mitigation, it would do well to linger on its consideration of risks associated with data security. It only takes one data breach for an organisation’s reputation to be damaged, one significant technology outage for cash flow to be interrupted, and one missed patch or security update to open the door for these to happen. Ensuring that cloud-based data is protected wherever it happens to reside at any particular moment is an increasingly important part of ensuring a business continues to thrive.