Your business is your responsibility

It is a natural assumption, albeit a dangerous one: if a tech giant is leasing its services to us so that we can get on with doing business while they look after the nuts and bolts, surely they already have cybersecurity on board?

They do – but it’s not quite as simple as that.

Public cloud providers, naturally, secure their networks, but dig into the contract and you will soon discover that responsibility for securing your data remains your responsibility – something that some businesses do not understand.

“I think it’s about education,” said Paul Delahunty, chief information security officer, Stryve.

Given Stryve delivers cybersecurity and cloud advisory services, Delahunty has, naturally, heard the term cloud used out there in the world of business with less precision than might be ideal, and this has an impact.

“We [all] use this term cloud, but cloud is many things: infrastructure as a service, platform as a service, software as a service,” he said.

When businesses have on-premise infrastructure, they are keenly aware that it has to be protected. With public cloud, however, it is often less clear, and the extent of your responsibilities can depend on the level of cloud abstraction.

“They [public cloud providers] make sure their infrastructure is secure, but the services that run on top of it, that responsibility is on you. If you have platform as a service, the operating system will be updated and so on, and even with software as a service, securing the data is still up to you,” said Delahunty.

Private cloud providers such as Stryve tend to hold their clients’ hand, however, offering a less commodified service. This is particularly useful as most businesses today lack the ability to manage security, especially in light of the global skills shortage in the area.

“If you have an IT department with the expertise, great, but the majority of businesses don’t have the expertise. There’s a real problem with resources out there. There are companies like us who specialise in this,” Delahunty said.

Moving beyond IT

In a way, the message is a straightforward one: if you’re trying to do something that isn’t your core business, get in someone to help.

Beyond that, however, Delahunty said that security should not be seen as an IT function in any case.

“Security isn’t an IT thing. Setting things up right, yes, that is. We live in a technical world and a digital economy. You can’t build a digital economy without cybersecurity,” he said.

Delahunty also said that the risk factors kept growing and shifting: for a start, internet of things (IoT) devices are proliferating, and beyond that, our working practices have changed and created new vectors for attack.

“By 2025, there will be 70 billion connected devices; right now, it’s 30 billion. That is already a problem,” he said.

“Zero trust, using multi-factor authentication, I do think that’s a step in the right direction [as] it’s all about closing that window of opportunity for the hackers. It’s a bit like the ESB high tension wire public awareness ads: ‘Are you sure it's safe?’ You just need to question everything and do nothing blindly,” he said.

‘Belt and braces’

The elephant in the room, of course, is the Covid pandemic and its attendant lockdowns, which drove a massive growth in remote work, often with an ad hoc approach to security. That was then, however, and there is no excuse for continuing to ignore security to this day.

“The [initial] Covid outbreak was over two years ago now. People have to have those things in place,” he said.

Some have, he said, but there is no such thing as perfect security.

“A lot of companies probably haven’t reached zero trust, but they have improved.

“It’s all belt-and-braces, it’s all about layers. The simple fact is that there’s no one silver bullet solution. Make yourself the harder target and the attacker will be more likely to move on to someone else.”