“Personal data for 2 million people disclosed”
“Health information for 300,000 people disclosed”
These are typical headlines we will see in the years to come.
When there are incidents such as data of millions of people disclosed, we as private individuals also become extra attentive.
It confirms that the consequences extend beyond the companies responsible for managing the solutions. There are probably not many companies that do not have customers, users, and clients.
Is your business next out on such a headline??
Statistically speaking, most cyberattacks have probably occurred in local data centers and not in the cloud. Because the majority of IT services have been in traditional data centers.
Nevertheless, cyberattacks also occur in the cloud, something we will experience more often. Not because the cloud is less secure, quite the opposite. But because the cloud usage will increase, the complexity grows, combined with poor security expertise in the cloud.
Cloud services and security have been a topic of discussion for a long time. We are probably quite biased that cloud services are not secure enough.
And when data attacks occur in the cloud, it helps to substantiate the perception that the cloud is insecure.
The truth is that there are sufficient built-in security mechanisms that can provide good security if you use them correctly.
In those cases where there are security breaches in cloud services, it’s often due to incorrect configurations and human failure – because it’s not set in a system and used correctly.
Planning is everything
Putting it in a system is first and foremost about having a strategy for why you use the cloud services and what they should accomplish. Then a risk analysis must be done and identify what is required to protect the business’s values.
When the strategy and analysis are in place, you should know which rules to apply. Then you have to establish systems that ensure that everyone will follow these rules. Also called cloud governance.
Too many people start at the wrong end and start building before this plan is in place.
IT has traditionally not been a business matter but something that the IT department has fixed “on the fly.” IT is perhaps one of the few areas where we are still starting to build or establish something without having a good plan or thinking through the consequences adequately first.
The traditional solutions in local data centers have often been subject to strict regimes, even though they are based mainly on manual tasks. But when we now have unlimited access to cloud services, where the business pushes rapid development with eager developers, we skip the previously established regime.
It’s natural, and not least, it shows that cloud services give us more significant opportunities to realize. But therefore, you must establish rules for how it should happen.
It`s time to move on
Those times we work according to manual checklists or are dependent on human factors should be over, at least in the cloud. We now live in a world where we can not risk losing value based on trust and manual tasks. It`s human to fail, and human failure happens all the time. But blaming it in 2022 only confirms that the competence is far from where it should be.
Why do so many still use the cloud ecosystems with access to millions of possible services without establishing proactive rules that control how to use them?
But instead of having a strategy, doing risk analysis, and establishing proactive rules that log and protect against most mistakes and damage, we build first.
When it`s too late
We rather wait until the “house burns” before we understand that we should have had smoke alarms and insurance.
Or someone breaks into your home window, and you realize that you should have your most significant values in a safe and locked safe.
First, when the damage has occurred and the case ends on the CFO’s table, we understand the seriousness, but it’s often too late.
Like much else, most people recognize themselves in this. Most people know that the risk is there and that one should do something. But still, it is not a priority; it usually fits better “after the summer” or “after Christmas.”
Hackers do not procrastinate their mission, do you?