When preventative measures do not stop an attack, the focus rightly shifts to recovery, Aden Axen, cloud services manager at Somerville writes.
Decision-making in cyber security is always a delicate balancing act. It’s about understanding all of the competing priorities and allocating funding based on risk and need.
For the past couple of years, growth in the use of cloud has outpaced investment both in securing these environments and being able to recover if cloud instances (and the data or applications they host) are compromised.
Recent research by PwC shows about 11 per cent of overall security spend by Australian organisations is being put behind “adopting a cloud-first technology strategy” over the next two years. The flipside of that is that about 90 per cent of security budgets isn’t apportioned to cloud-related security measures.
That is increasingly out of step with the importance and use of cloud in organisations.
Despite the frequency with which we see Australian organisations espousing cloud-first and cloud-only architectural strategies, according to PwC “49 per cent are just starting or planning their cloud security investments”.
That is supported by other research. For example, while 81 per cent of organisations “have increased their investment in business-critical SaaS applications”, a lesser proportion – 73 per cent – made a corresponding increase in their investment in security tools and 55 per cent on extra staff to secure these environments.
Another recent report finds cloud use is up “by more than 25 per cent” in the past two years, but that “a majority of organisations (55 per cent) report a weak security posture and believe they need to improve their underlying activities – such as gaining multi-cloud visibility, applying more consistent governance across accounts, or streamlining incident response and investigation – to achieve a stronger posture”.
Clearly, there is work to do to improve the maturity of security postures as they relate to the cloud.
Prevention isn’t a catch-all
Security posture is the combination of four key areas: detection, response, prevention and recovery.
Balance is often achieved through investments in people and technology, but what this balance should be can be hard to determine without specialist assistance.
For instance, we often field questions about whether money is best spent on security prevention or recovery.
Prevention often dominates security discussions. The first layer of prevention is tooling – setting up layered defences that are designed to detect and block potential threats, preferably before these even reach the cloud instance or user; applying security patches to business software expediently; and creating controls that prevent users engaging in risky practices or inadvertently misconfiguring their cloud instances or cloud-hosted systems.
A second layer of prevention is staff themselves: as some threats may be able to bypass the preventative tooling and measures in place, staff need to be alert to potential threats and know how to respond to them appropriately. And so, a lot of the time, prevention is also presented as a matter of establishing and maintaining good cyber hygiene.
But even the best defense-in-depth architecture, cloud engineering guardrails and staff training programs will not make a business impenetrable or impervious to attacks.
Preventative tooling and staff are not always going to be able to catch all threats, particularly as threat actors target businesses with much more sophisticated and patient campaigns, playing a “long game” of small steps to establish a foothold and gain persistence, before escalating their attacks at a later stage.
When an attack bypasses preventative measures and controls, the priorities become more about incident response and business recovery. While the former is more of an issue for cyber security teams, the latter is a question that all staff, from the executive down, will pose.
When can the business “return to normal” and resume being productive?
Being able to answer that question and put a definitive timeframe on it is critical. This is why it is crucial to invest in appropriate recovery capabilities, in addition to preventative measures.
The drive to immutable backups
Organisations that are attacked often have trouble recovering from the incident. We see it all too often in the news, where the victims of ransomware attacks can suffer weeks of downtime while machines are cleaned and systems are reinstalled.
When it comes to cloud security, the ability to recover from a breach is often down to maturity. IBM statistics show that “organisations further along in their cloud modernisation strategy [are able to] contain a breach on average 77 days faster than those in the early stage of their modernisation journey”. Experience counts for something: organisations that have been in the cloud longer are simply better at security and recovery than more novice cloud adopters.
However, tooling and services that enable fast – even instantaneous – recovery of data and systems promise to really level up the playing field, enabling a greater proportion of organisations to revert to normal operations in instances where preventative and protective cyber security measures fail.
It is important that all organisations have this extra layer of security beyond prevention. Recovery technology, like immutable backups, allows organisations to proactively defend their data and protect files. Hardening your sensitive data prevents a criminal or a malware from modifying or locking it when preventative solutions fail.
With a recovery technology in place, organisations can revert digital files and devices back to pre-attack state and restore critical operations quickly enough to reduce the impact of the attack.
Aden Axen is the cloud services manager at Somerville.