SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Risky business: Avoid putting all your eggs in one basket
Tue, 23rd Apr 2019
FYI, this story is more than a year old

Email is a key communication tool for businesses today, yet despite its importance, many businesses that transition to the cloud blindly rely on a single cloud service provider for day-to-day security, leaving them exposed to undue risk.

This is in comparison to a few years back when businesses methodically backed up servers to avoid data loss from IT incidents caused by cyber attacks, human error, or service failures.

As more businesses move their email to the cloud services, such as Microsoft Office 365, organisations are not only putting all their eggs in one basket, they are putting all their eggs in the same basket as everyone else.

Recent research shows, however, organisations globally have begun to introduce third-party solutions in addition to Office 365 to achieve cyber resilience.

The study found that nearly one-third of organisations plan to use third-party solutions in addition to what's available natively in Office 365.

In fact, 37% of the typical Office 365 budget in 2019 will be spent on a cheaper plan in conjunction with third-party security, archiving and other solutions.

More users mean more cyberattack opportunities

Email remains the most common attack vector for opportunistic cybercriminals.

Bad actors know they only need to infect one cloud-based email service user for a potentially large payoff.

Mimecast's State of Email Security report indicated that nearly a third of Australian organisations have seen business operations affected by ransomware.

The same research revealed 83% of organisations have been hit by an attack where malicious activity is due to infected email attachments or URLs.

If you consider the average downtime Australian organisations experience following a ransomware attack is three days, the financial damage can add up quickly.

This is even without considering the intangible costs associated with being offline, such as the impact on customer relationships and business reputation.

Data protection doesn't always stack up

Data protection capabilities that are integrated into cloud services such as Office 365 have been designed to protect against data loss caused by its own infrastructure failing.

Therefore, it's important to recognise these email services don't necessarily offer protection against accidental deletion, data corruption, or malicious users.

Cloud email services can and do fail                

Widespread and increasingly common outages experienced by major cloud email services have put a spotlight on the need for businesses to be prepared for any unplanned and planned outages.

Every business continuity strategy should at least have a secondary off-premise recovery data center to ensure that if anything were to happen to a primary site, there will always be a backup to reduce the impact of an outage.

Having email continuity as part of the strategy is equally important.

This will ensure that in the event of an outage, users have uninterrupted access to live and historic email and attachments.

Having constant email availability limits any downtime or complex duplication and ensures that business operations can continue regardless of the situation.

Layer up to avoid risk

To mitigate the cyber risks associated with cloud services, an effective cyber resilience strategy includes layered security protection, independent data storage and alternative access routes to key systems like email, for when the worst does occur.

With the inherent risks of single vendor reliance, there has never been a more important time for organisations to seriously consider implementing a cyber resilience strategy to avoid putting all their eggs in one basket.