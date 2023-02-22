Over the past few years, enterprises across Australia have moved more and more of their systems and applications to the cloud, with the trend only gathering pace with people increasingly working outside the traditional network perimeter, often at home and other locations. \n\nThroughout 2022, several large enterprises, including NAB, doubled-down on their cloud migration plans, while the vast majority of the CIO50 listed this among their top priorities. \n\nBut while the cloud provides more flexible and scalable IT services, it\u2019s also introducing new and vexing challenges around cyber security. In particular, many organisations are having to make significant cultural \u2013 in addition to technical \u2013 adjustments to deal with the fact that growing caches of potentially sensitive credentials are in the hands of more people.\n\nThe recent attacks on NFPs would seem to highlight many of the security risks being posed by the migration to the cloud. Typically fiscally restrained, their migrations are often more hurried and less considered, while they also tend to have fewer resources to train staff, many of whom are part time or volunteers.\n\nOur attendees reflected on the serious concerns raised about security since the earliest days of the cloud; concerns that were often dismissed as unfounded, and centred mainly around issues of data sovereignty.\n\nBut the security challenges apparent in the cloud today are quite different to what was imagined in the past.\n\nThere are several key questions organisations need to ask themselves today as part of their plans to ensure they\u2019re assuming a robust cyber security posture as the cloud becomes increasingly ubiquitous.\n\nGeorge Dragatsis, A\/NZ chief technology officer with Hitachi Vantara Australia says it\u2019s essential that CISOs, CIOs and others tech leaders contemplate these questions seriously.\n\n\u201cUltimately, whatever you did with respect to security on premise won\u2019t help you in the cloud\u201d.\n\nHe explains that there are two phases to getting security right in today\u2019s virtual, SaaS-based environment.\n\nThe first is the \u2018front end\u2019, with an emphasis on endpoint protection, identifying external threat factors and developing strategies to mitigate against them. And the second is all about guaranteeing 100 percent data availability, as well as high levels of resilience, for instance in the face of a ransomware attack, to ensure a quick and effective recovery.\n\n\u201cOrganisations need to ensure they\u2019re able to get back up and running in the unfortunate event of an attack. And they need to guarantee the \u2018immutability\u2019 of corporate business data,\u201d Dragatsis adds.\n\nBut according to Nathan Knight, managing director of Hitachi Vantara A\/NZ, while most tech leaders understand the importance of getting back up and running as soon as possible after a breach, many businesses lack a clear picture of what\u2019s actually occurred and the implications.\n\n\u201cVisibility into the impacts of breaches appears to be poor, with Medibank, for instance, still unable to tell customers what data has been lost\u201d.\n\nThe Medibank breach of November 2022, has been described as arguably the biggest in Australian corporate history, with more than 200 gigabytes of sensitive health data from almost 4 million Australians being ransomed under threat of publication on the Dark Web.\n\nIt\u2019s now widely accepted that the breach followed a simple theft of key credentials from an unwitting staff member; a situation that is becoming more common because of companies\u2019 increased reliance on the cloud.\n\nAnd while every cyber breach seems to trigger vigorous finger pointing, especially from the media, Knight stresses that cyber security is far from a perfect science, with the cloud making it even less so.\n\n\u201cMaybe we all need to accept that you can\u2019t keep everyone out, and that it\u2019s critical to focus on getting back up and running as quickly as possible\u201d.\n\nDarren Reid, director of VMWare\u2019s security business explains that the nature of cloud computing demands an approach to security that is \u201cintrinsic\u201d. \u201cSecurity must be built-in, rather than bolted-on\u201d.\n\nHe adds that as we\u2019ve modernised apps and moved to the cloud at speed, many organisations seem to have lost sight of the \u201ccontrols that we used to have\u201d.\n\n\u201cWe\u2019re accessing data via unsecured networks and all of that structure we used to have around us is basically gone\u201d.\n\nWhen trying to secure networks today, it\u2019s critical therefore to know the first point of entry. Figuring this out requires micro-segmentation and the correlation of end-point data.\n\n\u201cYou can limit to laptops, or segment networks. That\u2019s ok,\u201d Reid says. \u201cBut if an attacker is inside your apps, data is being exfiltrated and you\u2019re about to be ransomed\u201d.\n\nIncreasingly, tech and business leaders are being urged to work more closely together on cyber security these days, with the move to the cloud playing no small part in ramming home the message that everyone has their part to play.\n\n\u201cSecurity is not just a problem for security people anymore,\u201d stresses Reid. \u201cIt\u2019s team sport for everyone in the company.\u201d\n\nMeanwhile, as several of our delegates noted, not only are cyber attackers becoming more sophisticated and organised, we\u2019re now entering a new phase whereby they\u2019re operating more like entrepreneurs, taking more serious note of things like ROI, profit and loss, arguable strengthening their resolve to \u2018get results\u2019.\n\nHowever, Reid notes that despite the heightened risks, this there is a definite lack of skills more broadly across organisations, meaning CISOs, CIOs and other tech professionals with responsibility for cyber are \u201cgetting slammed\u201d.\n\nMoving forward, all attendees agreed that it\u2019s imperative cyber security is elevated in all discussions across organisations, starting with ensuring that everyone understands what a phishing email is.\n\nBusiness teams needs to be up to speed and vigilant. And when problems are reported, there needs to be a proper understanding of the context.\n\nFurther reiterating the importance of ensuring rapid recovery, Reid adds that nothing should be taken for granted when it comes to backups either.\n\n\u201cWhile people might say, oh we\u2019ve got a backup, the question needs to be asked, \u201care those backups \u2018immutable\u2019\u201d?.