“The cloud security posture of a lot of the companies out there scares me. Most people still aren’t taking today’s security risks seriously. Organisations don’t seem to fully grasp the implications and consequences of a breach, including the cost to remediate and the potential risk of brand reputational damage that comes from suffering a cyberattack.”Todd Elliott, General Manager at Satalyst, part of Canon Business Services ANZ
No industry is immune to concerns about cloud security capabilities. Our teams regularly talk to businesses across multiple verticals—from financial institutions to manufacturers, healthcare to retailers — and often, find that they have very little security (and very little security monitoring) in place.
It’s true that organisations are becoming increasingly aware of APRA requirements and the need to be compliant with their audits—and that’s driving some interest in cloud security capabilities. But even if you’re not APRA regulated, protecting your IP, your data, and your customers and their data should still be important priorities.
Ultimately, your motivation shouldn’t just be to pass an audit. It should be to secure your business and your customers’ information—regardless of your specific compliance responsibilities.
Plenty of factors contribute to weak security postures. Budget is one primary driver—too often, budget isn’t freed up for security initiatives until after an incident occurs.
But it’s also true that many organisations don't think that hard about why someone would want to steal their information. They don’t join up all the dots, but the truth is that it's a big problem for you, legally, if someone hacks you and that leads to identity fraud for your customers.
Desensitisation is another factor. Most organisations understand the potential blowback in reputational damage if a breach occurs. But too many people are getting burned out on security messaging, and they’re going numb to the issue until it happens to them.
Unfortunately, a lot of these companies aren’t getting an accurate picture of their true risk, since many cybersecurity incidents are resolved without fanfare or media attention. Data from the Australian Cyber Security Centre tells us that the number of cyberattacks is increasing, but many of these incidents are handled outside of the public eye.
For example, we’re aware of organisations that have been down and unable to do business for weeks or months at a time. Even though these attacks don’t always make the press, they still happen every day.
If the thought of being hobbled indefinitely by a successful cyberattack scares you—and it should—it’s time to start making a thoughtful plan for improving your cloud security capabilities. The good news is that it may not be as difficult (or as expensive) as you think.
In security, we often talk about this idea of needing to ‘throw a net over an organisation’ when it comes to security. And it’s true that you need to secure your company’s endpoints, your computers, your servers, and everything that’s attached to your network. But then you really need to be monitoring all of that—otherwise, you won’t know if someone’s trying to get in or if breaches have been stopped.
When deploying cloud security products, you need to be able to pull everything into a centralised management structure where you can get a view across your whole organisation’s security posture. Without this, you won’t really know where you're at—you won’t know if your security is working, if it’s current, or if all of your machines have been updated for critical vulnerabilities.
We often recommend Microsoft Sentinel for monitoring, because it can pull everything from the Microsoft E5 security space together to be monitored, including endpoint management through Intune and Defender for Endpoints around malware and strange behaviour.
It’s also important to guard against the accidental and deliberate removal of information by employees—it isn’t just external actors you need to be thinking about. Tools like Intune and Defender for Endpoints can also help you manage insider risk by gaining visibility into what employees are doing and preventing them from copying volumes of data to external devices.
As you’re exploring tools like Microsoft Sentinel, Intune, and Defender for Endpoints, you may find that it makes sense to reevaluate your licensing altogether. For instance, the Enterprise E5 SKU of Microsoft 365 contains just about everything companies need to secure their environments. But what we often find is that organisations will have a lower SKU, and then they'll have third-party products in place to fill the gaps.
“By the time we replace those third-party products—since they get the same features included in their E5 licence—it’s often cheaper for organisations. But more importantly, it's all cohesive, and it’s more secure.”Todd Elliott, General Manager at Satalyst, part of Canon Business Services ANZ
This is especially important in today’s competitive labour markets. Rather than needing to employ experts on popular third-party tools, organisations can just use the Microsoft stack. That way, the complexity of their staffing needs decreases, and they benefit from Microsoft’s massive, dedicated team that’s doing both prevention and response to threats across all of Azure.
Beyond licensing, most organisations need to shift their mindsets to the idea of zero trust. You have to be able to verify who’s accessing your environment, every single time someone tries—and you have to put the tools and processes in place to ensure this monitoring is done.
One good way to think about adopting a security mindset is to assume there's been a breach all the time. There are a lot of Microsoft tools that support that with things like privileged identity management. With that in place, if someone does breach and they try to escalate their privileges, they won't be able to do so without someone else in the company approving it.
That simple step alone can stop cyberattacks in real-time—and it all starts from assuming that the risk is real and occurring at all times.
By one estimate, conversation hacking attacks—a subset of social engineering attacks—grew nearly 270% in 2021. And it isn’t just large businesses that suffered. According to the same report, “an average employee of a small business with less than 100 employees would experience 350% more social engineering attacks than an employee of a larger enterprise.”
Higher social engineering attack rates mean that it’s critical to make staff aware that, if they see something strange, they need to do something about it. They can’t just ignore it or do what they normally do. In this day and age, if it doesn't seem right, it's probably not.
“As an example, I know of one company in particular that had roughly $400,000 AUD stolen—all because a fake invoice was submitted by a hacker, and it was approved and paid without question,” explains Elliott. “And yes, you can have a discussion ‘til the cows come home around the processes that should have been in place internally to prevent that kind of thing from happening, or about the technology that could have helped.
But the reality is that someone had been in their system and spoofed an email to accounts so that it looked like it was coming from someone else within the company saying, ‘This is good to pay. Can you please pay it?’ And they paid it without even checking. This kind of thing happens across the board in so many spaces, and it costs people money.”
It’s common to wish you didn’t have to worry about security. But companies no longer have that choice—you’re either going to have to spend money now on protective capabilities, or you’re going to have to spend money later when a breach occurs.
Today’s cybercriminals aren’t sitting around, targeting individual machines. They’re using tools that scan Internet addresses, looking for known vulnerabilities to exploit. When they find them, they don’t care if it’s a mom-and-pop shop or a bank—they’re going to go in and get what they can.
It’s comforting to think that this isn’t going to happen to you, but the impersonal nature of most cybercrime means that it is—unless you’re actively trying to prevent it.
If you’re ready to learn more about the options that exist for auditing your existing security posture—or for creating an immediate uplift in your cloud security capabilities—reach out to Canon Business Services today for more information.