In July this year, details belonging to 100 million customers of US banking giant Capital One fell into the hands of cyber attackers, and before long, fingers started pointing towards the channel.
Having suffered one of the largest data thefts to hit a financial services company, the blame game fell not on Amazon Web Services (AWS), which hosted the cloud infrastructure on which the bank's data was held, but the “external provider” that apparently let it happen.
Once again, concerns over cyber security in the cloud returned to the surface, raising the question of who ultimately bears the burden of responsibility in the event of an attack.
According to Tech Research Asia analyst Trevor Clarke, this responsibility is not necessarily the cloud provider's alone.
“Being able to protect the cloud is still a major challenge,” he said during a recent ARN Exchange. “There’s a perception that it’s the cloud provider’s responsibility. But it’s not and you should always read the small print in the terms and contracts.”
There is no doubt that safeguarding cloud environments is of critical importance for businesses, public institutions and channel partners alike.
As an example, the Capital One breach sent its shares down 5.9 per cent, and that’s just scraping the surface of the issue. High profile attacks have hit the Federal Parliament and the Commonwealth Games in the last two years, and figures from the Office of the Australian Information Commissioner (OAIC) suggest the number of breaches isn’t falling.
In the last report, covering 1 April and 30 June this year, the OAIC recorded 245 Notifiable Data Breaches (NDB), the exact same number as the 12 months before, year-to-year.
And customers are not the only ones at risk: “Every day there are really critical breaches coming through,” Clarke added. “And [partners] are the targets today: we have seen this supply chain attack on IT services and IT delivery.
“Executives can lose their jobs for these: they bear the liability for attacks, for the managed services, outsourcing and the projects [they’re] running.”
Yet although this heightened risk should compel partners and customers to ramp up their cyber defences, an unforeseen consequence of this is that organisation leaders are suffering what Clarke calls “cyber fatigue”. And as a result, they have become worryingly complacent towards cyber security -- cloud or otherwise.
“There is just so much noise out there,” he said. “There is all this stuff out there saying you’re going to be attacked by ransomware and too many things coming at you, so you’re just fatigued. Your eyes glaze over.
“We know that executives don’t always get it or understand their risk profile. Or they get it, but they don’t know what to invest.”
This complacency is backed up in the OAIC statistics, which highlights how 60 per cent of breaches this last quarter were caused by human error.
But yet this is of course where the channel plays best: educating and explaining to customers exactly where their IT investment is required. But within the realm of cloud security, this is challenging given Australia’s rapid progression into complex, multi- or hybrid cloud environments.
“In Australia, we have moved on from cloud-first, Clarke said. “We’re adopting hybrid infrastructures and multi-cloud is everything. When you ask a customer what does hybrid IT mean when in fact there is no template for that. We have heterogeneous environments; we’re not just using the services of one person but of many and that makes things much more difficult. We still don’t know what’s in our environments for a lot of companies.”
Read more on the next page...