Shifting key applications and data from on-premise servers to a cloud platform can deliver significant business benefits. However, it also changes the dynamics around ensuring they remain protected from cyber-criminal attacks.

The challenge was highlighted in the latest Notifiable Data Breaches Report from the Office of the Australian Information Commissioner. The report, which covers the period between January and June 2021, found malicious attacks remain the leading source of data breaches and accounted for 65 per cent of all reported incidents.

Finance is one of the highest reporting industry sectors, second only to healthcare, and accounted for 13 per cent of all breaches. According to the report, contact information remains the most common type of personal information involved in the incidents, while identity information and financial details are also in the top three.

As cloud adoption rises among financial and investment firms, it’s clear that traditional approaches to IT security, such as constructing a secure perimeter and using a firewall, are no longer sufficient. New strategies are needed to ensure personal and business data remains protected from attack.

Security and the cloud

Ensuring effective IT security is in place when cloud resources are being used can be challenging. It requires a mix of technical skills and an understanding of day-to-day business requirements.

These challenges have become particularly acute during the current virus-related disruptions. Finance and insurance firms have been forced to allow many staff to work from home, and this has boosted the need for secure remote access to both on-premise and cloud-based systems.

In many cases, communicating with clients is also proving challenging. With face-to-face meetings currently not possible, firms must instead rely on video communications platforms to take briefings and provide progress updates. These platforms are almost always cloud-based.

In order to achieve an effective level of security when making use of cloud resources, there are five key steps that should be followed. They are:

  1. Audit your IT environment
    Knowing what you have in place is a key, first step. Carefully assessing your entire infrastructure, applications and data serves to take guesswork out of the equation and strengthens overall security. Unfortunately, many finance and insurance firms don’t have a clear picture of their overall IT environment, and don’t know what applications they have and where those applications reside. Some may even think that applications are hosted in the environment when, in fact, they’re actually outside.

  2. Revise back-up strategies
    In many IT environments, there is a massive security vulnerability when it comes to back-ups. For this reason, it’s important to review your back-up regime to ensure it is effective and covers all critical data. Determine how it will need to be changed when applications and data are on a cloud platform. Remember that, if services such as Office 365 are being used, that data also needs to be included in the back-up process.

  3. Evaluate existing IT security measures
    If data has been secure on-premise, it’s important to evaluate how secure it will be once it’s in another, be that a hybrid environment or the public cloud. Ensure there is a robust security framework and understand the cloud security posture. Develop visibility and management across the entire IT environment, including endpoints, access points and networks.

  4. Check your data
    Data is the lifeblood of any financial organisation, so undertake an inventory of all data and create a security plan. Determine how much data you have, where it is actually stored, and how it is being protected.

  5. Measure the cost
    A cost-versus-value discussion should always be top of mind, as financial firms need to know the true cost/benefits of cloud usage. Factors to review include performance, day-to-day running costs and management overheads. It’s important to continually monitor what’s going on and have a deep understanding of all elements involved. If this is not achieved, the full benefits of cloud usage are unlikely to be realised. 

Embracing the cloud

There are a range of factors that need to be considered so that effective security can be maintained as greater use of cloud resources is undertaken. One is having the total buy-in of the senior management team and the allocation of sufficient resources.

This is important to ensure that the required skills and tools can be sourced and put in place. All too often, security holes remain because not enough resources were allocated to the task. 

Another is having a clear picture of exactly where in the firm cloud resources are being used now, and how this will change over time. Security measures need to be flexible and able to keep up with shifting business requirements.

By taking the time to assess your security measures and their applicability to cloud resources, financial firms can be confident they have the capability to withstand cyber attacks. In this way, the full business benefits of the cloud can be achieved while sensitive business and client data remains protected.

Craig Somerville, managing director and CEO, Somerville