Last week’s simultaneous DDoS cyber-attack on major US websites from Twitter to New York Times, exposed the serious vulnerability for those with cloud based Risk & Compliance solutions. It looks like some people may be cutting off the branch they are sitting on!
The regional areas affected by last week's cyber attack on the internet's infrastructure. Although publicity focused on name sites, any site on that network would have been taken down..
FastTrack Risk Management Data Sheet
As I have written about many times, the primary reason for implementing risk and compliance solutions, from ERM to GRC, is for resilience, i.e. as a decision making tool for handling adverse events. But what use is it if the event itself makes your risk management system inoperable!
The real Cyber Risk
Without getting too technical, what happened in last week’s cyber-attack is what is known as a distributed denial of service or DDoS. Hackers used 100,000’s of previously infected personal “internet of things” (IoT) devices, such as web cameras, baby monitors and home routers, to flood not the major websites themselves but the internet traffic management servers, thereby taking down the network. You can read more about it in the New York Times article “Hackers Used New Weapons to Disrupt Major Websites Across U.S”. Although publicity focused on name sites, any site on that network would have been taken down.
Gartner, the world’s foremost authority on the subject, estimates that there will be 6.4 billion IoT devices by the end of 2016. With this number of potentially available resources, in private unsecure hands, the likelihood of similar future attacks, like the odds of life on other planets, is almost guaranteed. Whether for criminal purposes of ransom, commercial espionage, state-based economic cyber-warfare, or even just malicious student hackers, with the internet what is possible is likely. Undoubtedly, the hacked personal IoT IP addresses, like credit card numbers, will be traded on the “dark net” for any or all of these parties to access.
To Cloud or not to Cloud
Accepting this as the new world order, brings us back to the initial question, “Is Cloud based Risk Management worth the Risk?”. The simple answer, as with any commercial decision, is a matter of risk verses cost benefit. If predominantly your business involves dealing with people on a personal level, not requiring real-time internet access to operate, then Yes, the cost benefit of a cloud service for risk and compliance management provides a low cost – high value solution without a serious business risk resulting from a DDoS cyber-attack.
If on the other hand, the operation of your business is reliant on the internet, e.g. e-commerce, equipment monitoring, or situational awareness, and therefore vulnerable to a significant Denial of Service, then NO, it is absolutely not worth the risk. Having your emergency management information and tools in the same basket is obviously an unwise strategy that WILL come back to haunt you. You wouldn't have your backup power supply coming from the power grid!
It is worth taking a minute to evaluate your objectives in any IT purchase and not just following the lemming march that appears to characterise the current rush to cloud solutions. Even with the “mass production” innovation 100 year ago, high value product requiring a low fault tolerance still remained hand made until the recent advent of commercial robotics. Even good technologies need to be fit for purpose.
Understanding “The China Syndrome”
To date most arguments on whether or not to go cloud, have been around the issues of the security and confidentiality of data and systems. As Jack Godell (Jack Lemon) says in The China Syndrome "that's not the problem" when arguing with nuclear power nay-sayers. If you go with a major hosting provider, avoiding backyard providers and software providers hosting their own solutions, security of data in the cloud is not the issue. Outside data sovereignty issues, they will most likely outrank all but Dept of Defence security.
But infrastructure, including power and telecom components, are the proverbial weak link. Lack of access, like lack of power in a crisis condition renders you defenceless. Like all infrastructure issues, they have multiple points of failure, multiple levels of ownership/responsibility and varying degrees of security. They are also subject to enviromental and supply issues as well as cyber-attacks anywhere between their source and your consumption.
Mitigating your cyber risk
As stated earlier, for many the cloud can be the right decision and an effective solution given the appropriate due diligence on being fit-for-purpose. I'm not suggesting to throw the baby out with the bath water. All I am advocating is that you seriously look at your real needs and consider if it is really right for you.
If you feel a cloud solution is necessary, for any application not just risk and compliance, then how can you minimise your internet infrastructure risk? Next week I will cover my top suggestions on mitigating your internet hosted risk.
NOTE: Fast Track provides the same risk management software for both On-Premise and Cloud solutions. We don't have a vested interest in either platform.
|Risk Management Data Sheet
How Fast Track provides true ERM
See recorded webinar on 21st century Risk Management
Technical specifications, pricing, and more.