Commentary: Supply Chain System Security Starts in the Cloud
The May 2017 ‘WannaCry’ ransomware cyberattack swept 150 countries, crippling hospitals, paralyzing government entities, and completely halting businesses by exploiting vulnerabilities in outdated operating systems.
By infiltrating systems, locking down digital assets, and making all files and folders inaccessible, the attackers effectively shut down entire organizations. No fulfillment. No new client acquisition. No checking inventory. It’s a rattling reminder that as hacking and ransomware continue to become more prevalent, system security must be an organization’s top priority.
However, most CEOs don’t have a tech background. In fact, 43 percent of CEOs have a background in finance with the next largest percentage being general business management. Yet, a poll of Fortune 500 CEOs showed that 65 percent say that the "rapid pace of technological change" was the biggest challenge their company was facing. See the disconnect?
Let’s simplify things. Strong system security boils down to controlling two factors: access and ecosystem. Access refers to how easily someone can get into or hack a system, and the ecosystem is everything else, including native (operating systems), application, and human (lack of training, easy passwords, etc.) vulnerabilities.
One of the most important cybersecurity decisions for your enterprise is selecting an appropriate operating system. Although no operating system is immune to malware attacks, according to a report produced by F-Secure Labs, non-iOS operating systems account for 99 percent of all mobile malware. Why?
Systems like Windows and Android are more open to developers, but another reason is the way operating system updates are managed. Experts say Apple’s iOS distribution and upgrade model is better and leads to greater security. It’s not that other operating system updates aren’t as good as Apple’s, it’s that implementing the updates is left to the users of each device. This opens the door for WannaCry and other malware attacks like it, which brings up the next major point: Organizations that try to do network security themselves often fail.
Organizations that do system security in-house will wither because they won’t have the proper prioritization, funding, expertise, and/or accountability; or because they focus so much on doing system security well that they lose market opportunities to competitors. Relying on anti-virus software is not enough today because it stops less than half of malware attacks.
According to Gartner analyst Dionisio Zumerle, most enterprises choose Apple devices and the iOS platform because they feel it is easier to secure their data. While this takes care of securing data on the device itself, it doesn’t address the issue of storing data outside of the device, which is achieved via on-site or cloud storage.
When choosing between on-site and cloud storage, there are four main reasons a cloud environment can be superior: better security expertise, better tools, focused resources, and cost effectiveness.
Better Security Expertise
Organizations put their data at risk when they trust it to an IT team whose primary expertise is network connectivity and hardware functionality. Cyber security is a whole different ball game. It usually happens that an organization uses their IT team for system security.
But not only is it less secure to leverage your IT staff in a “jack of all trades” approach, you’re also pulling them away from doing the thing they can be most successful at to help your company succeed.
It’s been proven time and again: Businesses often fail when they get out of their wheelhouse. If you are an electronics component distributor, becoming a system security expert will distract from your core business.
Even if your IT staff are cyber security experts, what tools are they being provided with to be successful? Are they familiar with developing and deploying complex security algorithms? Can they create and monitor geo-restrictions to authenticate logins and deploy self-healing global redundancies to avoid likely failures?
Keeping your data on-site also opens it up to physical vulnerabilities. What if a tornado or other natural disaster wipes out your servers? Sure, they could be backed up, but are those backups verified on a regular basis? Are they kept off site? How long to rebuild your systems on site to resume business? Do you do regular mock disaster recovery failovers? If the answer to these questions isn’t a resounding “yes,” then game over.
According to the American Red Cross, “as many as 40 percent of small businesses do not reopen after a major disaster.” To avoid this, major cloud providers leverage sophisticated disaster recovery plans and a self-healing service fabric that allow business continuity plans to be implemented seamlessly. Cloud systems can be replicated and served in multiple locations around the globe so if one site goes down, traffic is automatically routed to the next available one.
Anyone can use a shovel to dig a hole, but an expert with a tractor is a lot more efficient and effective.
Hackers have bots working 24/7 to develop even more effective bots. WannaCry was defeated and within two days another more effective variant was released that damaged even more enterprises—that’s what you call focused resources.
At most small-to-medium sized enterprises, an in-house security team may spend 1-2 hours a day doing system security checks and that’s no match. As a COO, I’d much rather have security entrusted to experts who only focus on that all the time. I wouldn’t be able to provide enough bandwidth because system security deserves undistracted attention. By doing so, it’s one less responsibility for me and allows me to focus attention on things that help my business grow rather than simply being sure a system attack doesn’t paralyze us.
What amount of in-house overhead are you willing to provide to keep up with the system security battle? It’s a question that doesn’t have an obvious answer. It’s not just purchasing a few servers and keeping them in an air-conditioned janitorial closet. The system needs holistic protection–both physical and digital. That infrastructure spend can be magnitudes larger than the cost of utilizing a major cloud provider.
In order to protect your enterprise system, you need expertise, advanced tools, and ongoing effort. Rarely does an organization have the resources to deploy all three effectively. As evidenced by the recent malware attacks, cutting corners can be disastrous. So, is it worth it? When it comes to protecting what’s important to your enterprise, don’t try and build your own.