Cloud and GenAI. It had to happen.

Whiskers and kittens? Fish and chips? Ben and Jerry? Cloud and GenAI are set to become an inevitable pairing – and one you need to prepare for.

More cloud, more smarts

In its 2023 CIO and Technology Executive Survey, Gartner says the results indicate that over 62% of Australian CIOs expected to spend more on the cloud this year – but are they architecting their cloud platforms to prepare for GenAI?

“Local CIOs have told us the top two technologies they plan on investing in next year are SASE (secure access service edge) to simplify the delivery of critical network and security services via the cloud, and generative AI for its potential to improve innovation and efficiencies across the organization,” says Rowsell-Jones, Distinguished VP Analyst at Gartner.

According to Gartner, the investment in GenAI will continue to increase alongside the continued shift to digital in Australia over 2024. And Gartner anticipates that enterprises will primarily look to incorporate GenAI through their existing spend in the long term – via the software, hardware, and services already in use.

How will GenAI be served up to users?

GenAI thrives on data and compute power – and the more, the better. So, cloud is an obvious vehicle. However, training AI models, such as the LLM (large language model) that powers ChatGPT, requires access to massive amounts of data and vast amounts of compute power. And that poses a problem for organisations keen to drive value from GenAI but lack the computing resources to leverage the amazing but power-hungry technology.

This is where the first of Forbes’ (10) predictions for computing trends in 2024 comes in: Get ready for AI-as-a-Service.

Just when we needed yet another technology acronym, AIaaS pops into frame. It’s all good, though: By accessing AI-as-a-service through cloud platforms, even those lacking the necessary cloud infrastructure and compute power can leverage AI’s powerful, transformative technology.

While AIaaS is exciting, the subject of cloud cybersecurity and GenAI is more sobering. Forbes warns that “encryption, authentication and disaster recovery are three functions of cloud computing services that will be increasingly in demand as we face up to the evolving threat landscape of 2024.” With data thefts and breaches increasing in frequency and severity as hackers use AI to develop new forms of attack, all systems accessible to humans will be at risk from social engineering attacks. Leaving security and resilience high on the agenda of all cloud providers and customers.

Which brings us to governance and readiness.

Governance and GenAI

In its must-do guide for GenAI governance, Phil Moyer, Google Cloud’s global vice-president for AI and Business Solutions, observed, “Today’s leaders are eager to adopt generative AI technologies and tools. Yet the next question after what to do with it remains, ‘How do you ensure risk management and governance with your AI models?’ In particular, using generative AI in a business setting can pose various risks around accuracy, privacy and security, regulatory compliance, and intellectual property infringement.”

And he makes a very good point. But it’s too early to look to the Australian government for prescriptive guidance just yet; there is currently no AI-specific regulatory framework in place. However, the good news is that we can expect the expanding risks to accelerate focused legislation. While Australia’s 8 Artificial Intelligence (AI) Ethics Principles are designed to ensure AI is safe, secure, and reliable, they are voluntary.

That said, the Australian Government is all in favour of AI adoption, pledging $41.2 million to ‘support the responsible deployment of AI’ in its 2023/2024 budget. This includes strengthening the Responsible AI Network and launching the Responsible AI Adopt Program to help SMEs adopt AI.

Governance internationally, though, has raced ahead. The proposed EU AI Act will be the world’s first comprehensive AI law – watch this space. In 2023, Australia joined the EU and 27 other countries in signing the Bletchley Declaration, an international commitment to ensuring that AI should be designed, developed, deployed, and used in a safe, human-centric, trustworthy, and responsible manner.

Ready, set, go – easier said than done?

How do you ensure you are ready for GenAI and your cloud infrastructure to play nice? It’s one thing to give GenAI the nod but another to successfully integrate it into your cloud architecture. Without a carefully defined and agreed-upon approach, you risk not only failed projects but also a compromised security framework.

  • Articulate and agree on use cases within your organisation for AI so you can determine what changes should be made to your IT landscape to best suit your needs.
  • Remember that GenAI is data-centric so ensure your data is clean, accessible, and compatible with cloud storage solutions.
  • Think ahead when it comes to security and privacy. It’s imperative to have a robust security architecture integrated at every step of the process.
  • Balance scalability with cost-efficiency to reap benefits, rather than drain finances.
  • Choose the right cloud infrastructure model for your use case.
  • Monitor, monitor, and monitor. Not only the performance of your AI models but also your cloud resource costs to ensure operational and architectural efficiency.
  • Be ethical, stay legal. If GenAI is making decisions impacting your users or creating content, then ethical considerations must drive design principles. While specific AI legislation is not (yet) in place, Australia’s Privacy Act covers some of the considerations, and amendments are due to follow.
  • Disaster recovery and resilience. High availability can be the difference between value and disaster. It’s critical that your provider/s can minimise downtime and data loss in case of system failures.

Your cloud infrastructure is critical to your ability to leverage GenAI’s transformative power. We don’t want you to be left behind.

The Modern CIO: Building bridges between business and customers.

Once upon a time, the CIO was an unappreciated and largely unknown hero; relegated to the back room and responsible for keeping the lights on without fanfare or recognition. Now, the role has matured to one which is central (and critical) to achieving business goals.

As well as being charged with the responsibilities that come with a seat at the boardroom table, today’s CIO is accountable for building a digital customer-first foundation that can easily evolve to meet changing demands.

How did Customer Experience (CX) become a CIO responsibility?

One of the most telling comments in Forrester’s “The CIO’s Role In The Growth Agenda” report is where they say: One CIO we spoke with told us, “It turns out, I actually own customer experience because I’m responsible for the systems that serve them.”

And with CX being increasingly reliant on technology, the choices the CIO makes now will underpin business growth. They’re important, and far-reaching.

Here’s why.

The case for exceptional CX being the norm, not the exception.

In Forbes’ article from late 2023, “Leading Digital Transformation: Why CIOs Should Keep CX Top Of Mind,” they observe that research has repeatedly shown that keeping customers happy and finding better ways to engage with them is not just crucial for survival but also key to thriving in a challenging economic climate.

Forbes also points to PwC’s Customer Loyalty Executive Survey 2023, where 87% of executives and 51% of consumers in the United States agreed that an online shopping experience can negatively impact loyalty if it’s not as easy or enjoyable as shopping in person.

What is apparent from this, is that CX is critical to growth and loyalty (and profitability) across virtually every aspect of customer interactions – from websites to apps, support to fulfilment, to personalised omnichannel communications based on previous behaviour, preferences, and purchases. And key to this, is your organisation’s ability to collect and meaningfully analyse masses of data – via technology.

Is there more to the CIO role than CX, though?

While important, CX isn’t the be-all and end-all – it’s a two-way bridge. Your technology environment needs to empower your internal stakeholders so they can derive deeper and more valuable insights into the market and make better decisions. From what to sell, when and how, and what next – impacting product development, sales, customer service, marketing, and growth strategies.

And of course, the better the technology, the more ownership and support by your tech teams.

So, circling back around to the original point of this article – today’s CIO plays a critical role in deciding and guiding the use of technology (from your systems of engagement, systems of insight, security, and infrastructure – nothing is exempt) and data.

The decisions you make should enhance how the business interacts with your customers, optimise its processes, and align your business strategies with the needs and high flying CX expectations of your customers – while bringing joy to your stakeholders.

That given, let’s look at how you can ‘make it so.’

The four key strategies to drive a customer-centric tech approach.

1. Be customer aware

Make sure your business is where and what your customers expect it to be with the ability to interact with you how they want to.

While it’s not as simplistic as building it and they will automatically come, failing to build solutions that deliver the high-quality experience your customers expect (from web to mobile apps to self-help) is a sure-fire path to failure in a digital world.

2. Stand united

Your technology model should link your tech and business teams – from marketing, to sales, CX and product, and digital – together, not drive a ‘have/have-not’ wedge between them.

In Forrester’s “The CIO’s Role In The Growth Agenda” report, they say: “In our studies, respondents at enterprises with high levels of alignment across customer-facing functions report 2.4x higher revenue growth than those with some or no alignment. Those same aligned groups benefit from working with IT teams that are 3.7 times more likely to be highly or somewhat aligned with other functions.”

Also consider what new technologies like AI (artificial intelligence) and ML (machine learning) will bring to the table as part of your drive to improve your business operations and gain a competitive advantage. While you may prefer to develop custom models that work well with your current data sets, keep an eye out for records management application vendors who are incorporating AI directly into their products.

3. Discard complexity

Stop investing in old technology. Make now the time to move on from the cost and complications inherited with legacy systems to consolidate and build better customer facing systems.

Reduce the complexity of your systems of records by ensuring you have a strong ability to retrieve data from your existing systems. This way you can be confident that you can access the data you need in the future – which is especially important if you are in a regulated industry.

For example, in the professional services sector, many organisations are switching to cloud-based records management systems to enable new Business Innovation, and as a result, are shutting down their old on-premise systems. Global Storage customers in this sector trust that their legacy data is secure and recoverable through our range of cloud services, which allows them to move forward and free up old capital and resources.

4. Invest in result

While it’s tempting to adopt one shiny, exciting new solution after another, step back and reconsider. The most important thing about technology is the result, not the way to achieve it.

Keeping this in mind will help you focus on what matters most to the business. For example, Global Storage offers an outcome-based service with strict SLAs that allows our customers to concentrate on innovation within the business. This saves them from getting bogged down in the essential but routine operational tasks and the effort and expense of keeping up with new technology and systems that ultimately add little value to the business.

In summary, building great bridges requires strong foundations – ones that are deep and true to support the weight of change and significant business growth.

Above all, the foundations you lay as CIO should enable fast and complete business recovery following a natural or maliciously contrived disaster.

Contact us to have an obligation-free chat.

Global Storage takes out Veeam VCSP Partner of the Year for ANZ

Veeam recently announced their ANZ Partner Awards to celebrate the success of their channel in 2022. Global Storage were delighted to accept the award for Veeam Cloud and Service Provider (VCSP) of the Year for Australia.

Laura Currie, Channel & Alliances Marketing Manager for ANZ commented on the award.

“Your commitment to ongoing growth and valuable insights into our products and programs have truly set you apart. Your dedication to our partnership and active engagement within the Veeam community have significantly contributed to our mutual success.”

Laura Currie

The partner awards celebrated 13 partners across ANZ for their achievement and activity with Veeam in the previous year.

“In the past year, Veeam has made great progress in helping its ANZ partners build their practices, in order to better serve their customers,” said Gary Mitchell, VP of ANZ at Veeam Software. Gary went on to say that “Veeam’s 100 per cent channel model firmly puts Veeam’s partners at the centre of the ecosystem and we are extremely proud to be working with them to provide customers with the resilience, availability, and business outcomes they need. We are thrilled to be able to celebrate their achievements at this year’s ANZ Partner Awards.”

This reward reflects Global Storage’s ongoing commitment to delivering our innovative and secure Back Up and Disaster Recovery as a Service offering.

As a Platinum Veeam VCSP partner we invest in our people with 6 certified Veeam Technical Sales Professionals forming part of our team. With over two decades of data management experience the Global Storage team is uniquely qualified to help companies of all sizes realise agility, efficiency, and intelligent data management across diverse cloud environments.

Global Storage takes out Veeam VCSP Partner of the Year for ANZ

Source: Veeam celebrates A/NZ channel — ARN (arnnet.com.au)

Written in partnership with Veeam.

Cloud: Simplifying an increasingly complex hybrid landscape with confidence

The challenges for today’s CISOs aren’t going away any time soon – especially when it comes to data management, protection and recovery in a multi-cloud or hybrid-cloud environment.

The complexities associated with cloud and tech environments were listed as a top 3 challenge in the Focus Networks Intel Report for the CIO & CISO Leaders Australia Summit 2023. And, according to ARN, cloud spending will top the list in 2024.

So, what does this mean for your organisation and its ability to manage your hybrid cloud environment?

Shouldn’t hybrid cloud be getting easier, not more complex?

You’d think the rush to hybrid cloud would be slowing down by now.

But, says Veeam, in its #1 Hybrid Cloud Backup Guide, hybrid cloud implementations are unlikely to go away. Whether by careful, strategic design or accidental evolution, 92% of businesses already have a hybrid or multi-cloud setup. Regardless of the route taken, hybrid cloud is today’s reality for most organisations.

Hybrid cloud, observes Veeam, no longer means a mix of on-premises and a (single) public cloud. These days, a hybrid environment is more likely to consist of specifically chosen platforms used to serve different purposes. For example, disaster recovery (DR), production, dev-test and more. Meaning there’s more to measure, manage, and protect.

So, it’s easy to see how, over time, the complexity of hybrid cloud – especially in terms of backing it up – has grown, not lessened.

Managing data protection and security is easy (said no one, ever)

As we adopt more modern platforms, the struggle to manage them and their dispersed, often locked-away data grows in the face of ever-evolving cyber threats. And legacy backup solutions won’t cut the mustard. They’re old news, high-risk, and only suitable for dangerously old and high-risk technology environments.

If you have a modern multi-cloud environment, it’s obvious you need to take a modern approach to protecting it. Even then, not all cloud backup solutions on offer are created equal. With the need to back up your physical and virtual machines (VMs), cloud-native infrastructure and platforms, SaaS, and Kubernetes – all of which benefit from purpose-built protection, it can be a big ask. While native backup tooling is available from both first- and third-party vendors, this multi-vendor approach can result in siloed management and often creates more challenges than it overcomes. At a time when the desire is to reduce costs and simplify management, it does the opposite.

Then, there are those public cloud vendors who lock your data into their platforms, meaning you need to compromise on performance, capabilities, and costs rather than embrace a move to a better, more suitable platform.

Multi-cloud and hybrid-cloud environments are now the norm not the exception. So, the need for a single pane of glass approach to data management, protection and recovery is more critical than ever before.

The lowdown on the future of cloud (and what it means for you)

First, let’s look at where cloud is heading. Because above all, as cloud evolves and transforms, you need to consider solutions that will go the distance.

In Forbes’ article on Cloud Computing In 2024: Unveiling Transformations And Opportunities, they open with this bold statement: “The dynamic realm of cloud computing is on the brink of remarkable transformations in 2024, as organizations and service providers brace themselves for an era characterized by innovation, challenges, and unprecedented opportunities.”

Sounds great, but what do they actually mean by this?

In its list of 11 key trends for 2024 – Forbes says the era of one-size-fits-all cloud solutions is on the way out and a more tailored and dynamic approach that combines public and private clouds is in. Hybrid and multi-cloud environments are set to become the new normal for organizations of all sizes – which comes as little surprise to most of us.

More importantly (in the context of this blog), Forbes says that with the shift to multi-cloud environments and serverless computing, IT departments will face novel challenges, including paying more attention to security. While specialised solutions that are designed to help simplify the inherently intricate nature of multi-cloud environments are emerging, Forbes cautions against tools that conceal complexity without genuinely streamlining or reducing it.

More positively, though, Forbes says that AI will optimise cloud management, in a transition from novelty to the norm and bring benefits, including streamlined overall cloud operations.

Another trend Forbes noted (one that’s far from new in a world strapped for skilled technology resources) is the challenge of bridging a skills gap as cloud adoption increases. Meaning solutions that reduce the need for specialised cloud-computing professionals will be welcomed with open arms.

So, where to from here?

Given the challenges, what’s important when considering a data protection, management, and security platform to support your ever-evolving hybrid-cloud environment?

  • Centralised management. Drive efficiency and reduce costs with a single view of all environments and just one toolset.
  • The ability to support everything. As hybrid environments grow in complexity, look for a solution that natively supports everything from SaaS to physical servers, Kubernetes, and more.
  • Own your own data. Eliminate data lock-in with a solution that allows you to move data freely across your infrastructure so it’s available where and when you need it.
  • Only use and pay for what you need. Choose a solution that allows you to cherry-pick the components you need without financial or licensing penalties.
  • A seamless experience. Protect, manage, and recover your hybrid cloud environment with a platform that delivers what it promises without downtime, data loss, or compromise.

Hybrid cloud offers benefits and challenges in equal measure – something we deal with daily. Reach out to Global Storage for an obligation-free chat about how we can help you simplify the complex.

Written in partnership with Veeam.

The new NIST list – what you need to know 

How time flies. It’s already been almost 10 years since the NIST (National Institute for Standards and Technology) Cybersecurity Framework was first rolled out to provide technical guidance for those responsible for critical infrastructure interests, including energy, banking, and public health. 

By early November, we can expect to see a sixth function officially added to the famous five functions of an effective cybersecurity program – namely: Identify, protect, detect, respond, and recover. 

And we’re glad to say that the final function is ‘govern’. 

It’s expected that the addition of the sixth function will expand the usefulness of the NIST framework to all those sectors outside of critical infrastructure and provide guidance to support their overall cybersecurity strategies.  

Celebrating the new NIST framework 

So, why does NIST 2.0 make us quietly happy? Possibly because it’s something we’ve taken to heart. 

From the Global Storage perspective, governance has long been the missing piece in the cybersecurity puzzle. Having gone through the intensive processes of earning ISO 27001 certification several years ago, it’s good to see NIST catching up with the technology partners (like us) who adopted ‘govern’ as a central premise to support and protect their customers more effectively. 

And the Australian Government obviously agrees. Its current principles of cybersecurity governance are grouped into four key activities: govern, protect, detect and respond. Govern: Identifying and managing security risks. Protect: Implementing controls to reduce security risks. Detect: Detecting and understanding cyber security events to identify cyber security incidents. Respond: Responding to and recovering from cyber security incidents. 

 In its discussion paper, “Strengthening Australia’s cybersecurity regulations and incentives,” the government is actively seeking views about how it can incentivise businesses to invest in cybersecurity, including through possible regulatory changes. The first of the proposed new policies up for discussion is governance standards for large businesses. Suggested governance approaches include alignment with international standards and frameworks (like ISO 27001 and NIST).  

Governance (and the associated reporting) is clearly a timely new focus for those non-critical infrastructure Australian businesses that haven’t yet fully developed a robust and all-encompassing cybersecurity plan. ASIC has started to actively fine businesses that fail to take remedial action after breaches – and they are unlikely to accept excuses based on size and lack of capability from the SMB sector.  

It’s been interesting for us to watch some of our larger customers, who previously aligned themselves with the ASD Essential Eight, now realigning themselves with NIST due to its depth, breadth and maturity. And we expect the addition of the ‘govern’ function to cement that move even more firmly. 

Catching the curve ball 

While we’d like to say we were ahead of the curve in becoming ISO 27001 certified, the reality is that many technology partners saw the writing on the wall. We could see that “govern” would be recognised as an important function over and above the five technical, control-based standards championed by NIST up until now – and that our commitment to going further should be sooner than later.  

What Global Storage’s ISO accreditation (and statement of applicability) means for our customers is that we keep the necessary governance records for them. So, if they are audited or even prosecuted, we can prove that the principles and controls of ‘govern’ were fully followed. In effect, they can leverage our external certification against their compliance requirements, making it easier for them to do business with confidence. And in turn, we leverage the certifications of our own ISO-accredited service providers.  

While committing to ISO 27001 five years ago was a market differentiator, it’s now a prerequisite for most partners like us. Now, from a sales perspective, it accelerates the conversations and removes roadblocks. Whereas ‘before’, our customers had no dedicated security resources, today’s organisations typically have multiple internal staff whose primary responsibility is security. But they are the lucky ones. With the huge global deficit in cybersecurity resources, they’re often lucky to be able to afford to hire and retain the people needed. All of which makes it even more important that a partner can offer the certified support needed.  

New framework, new challenges 

But going back to a cybersecurity framework that includes ‘govern’, for those already in a regulated industry (for example, health and banking), it shouldn’t pose too much of a problem – they are used to the requirement of being audited.  

In the case of non-regulated and often less mature industries, though, it will pose a challenge despite growing customer demand that they level up. For these organisations in particular, having a service provider that’s already got all those ‘govern’ boxes ready-ticked will alleviate the time, pain, and distraction of completing additional paperwork. 

As I’ve said, we’ve made a significant investment in ISO 27001, and that accreditation requires us to achieve and maintain precise standards and undergo a yearly external audit. It’s also shaped the way we run our business. We can’t afford mistakes; we put our reputation on the line daily. These days, saying “oops, sorry, my bad” isn’t good enough for us or our customers (and in our books, it never has been) – meaning we’re very prescriptive about how we run our cybersecurity functions and services.  

Feel good about the company you keep 

Like practically every company in the world, we’ve had cybercriminals trying to attack us – but every attempt has been detected, contained, and dealt with in keeping with our governance system. We’ve never had a breach. 

With NIST soon to be updated and the Australian Government looking likely to enforce governance for all organisations regardless of size, it’s critical these businesses can turn to a trusted service provider who has been there, done that – and actually lives and breathes the concept of “govern”. Only by doing that can they quickly and directly move forward and comply while reducing risk. 

Service partners like Global Storage are no longer just the clean-up crew when something goes wrong. We’re not just the people you lean on for (exceptional) backup and recovery as a service and disaster recovery as a service to provide 24/7 protection, but the in-depth reporting needed to keep you compliant, auditable, and accountable for everything cybersecurity.  

So, when your performance and strategy are held up against NIST standards, ISO standards, or government governance regulations, you can be confident that you, too, are ahead of the cybercrime curve ball.  

When it comes to cybercrime, you are not a unicorn.

At the risk of sounding like a broken record, cybercrime is only getting worse. And no matter how ‘special’ and ‘unique’ you are, you are unlikely to remain unscathed.

Ransomware is now the rule, not the exception

In Veeam’s 2022 Ransomware Trends Report, they summarised the learnings gained by interviewing 1,000 organisations that had all experienced ransomware attacks. So, not those living in fear of an attack, but those who had been through one and came out the other side in varying degrees of health. The researchers talked to security professionals, IT operations, backup administrators and CISO (or equivalent IT executives).

Veeam’s ransomware report dovetails with their 2022 Data Protection Trends report, where 76% of the 3,393 organisations surveyed had suffered at least one ransomware attack, and 24% had avoided or were totally unaware that they’d been attacked. As with the ransomware report mentioned above, the criteria for being included in this research was that each organisation must have experienced at least one attack in 2021.

Between these two pieces of research, two important trends were uncovered:

  1. Cybercriminals were double dipping. To quote Veeam: “Only about one in four (27%) organizations suffered just one attack, presumably with bad actors attempting to return for more ransom.”
  2. No unicorn is safe. Again, to quote Veeam: “Organizations of all sizes appear relatively equal in the persistence of attacks from small-to-medium-sized businesses (SMBs) (100–249 employees) to large enterprises (>5,000 employees). Said another way, just like any other disaster (fire/flood), ransomware attacks are universally pervasive.”
    Veeam also noted that ransomware survey respondents reported that an average of 47% of their data was encrypted by ransomware.

As a result of this research, one of Veeam’s primary conclusions was that “the best way to reduce the risk of a cyberattack like ransomware is to have a comprehensive and tested disaster response plan.”

Move your mouse away from that!

Despite our increased awareness and training, humans remain the greatest point of failure when it comes to inviting cyberattacks into our businesses. Phishing emails, malicious links and websites are still the most common point of entry for criminals.

One positive observation made by Veeam was that only 1% of their respondents reported they could not identify the entry point. In other words, 99% of the time, the monitoring and investigation tools they used pinpointed their vulnerabilities – human and otherwise – so they could be addressed.

Once a bad actor has gained entry into your environment, Veeam says that 94% of the time, your backup repositories are their primary target. And that 68% of repositories are impacted as a result.

Veeam adds:

“Specific production platform or application types were targeted in 80% of successful ransomware attacks, presumably based on known vulnerabilities within common platform types, such as mainstream hypervisors and operating systems or wide-spread workloads like NAS filers or database servers.”

We get it: Protecting your data isn’t simple

With organisational data often spread across multiple clouds and systems, as well as geographies and locations, it only adds to the challenge of ensuring your data is not only available and scalable – but also protected.

Faced with today’s cyber challenges (and new threats looming as AI becomes part of the baddies’ arsenal), your ability to be cyber resilient and recover to a business-as-usual state as quickly as possible is more critical than ever. No one can count on being the fairy-tale exception to the rule when it comes to ransomware attacks.

To rehash that well-worn saying: It’s not a matter of if your unicorn breaks its horn, but when.

According to Veeam’s 2023 Data Protection Trends report, “…many legacy IT environments are running legacy backup solutions that were designed for the physical data center era. This specifically hinders an enterprise’s ability to focus on cloud-based SaaS and IaaS, which puts your data at risk of data breach and can lead to unoptimized large-scale data management.”

Interestingly, Veeam reports that 52% of those organisations with encrypted data paid the ransom demand (mainly with the help of their cyber insurance policies) and successfully recovered it. As for the rest? 25% paid up but didn’t recover their data. The remainder undertook remediation to recover their data successfully, but this took an average of 18 days, which is a long time to be out of the business-as-usual loop.

It’s time to join the rest of the herd

While cybercrime is pervasive and seemingly unavoidable, it doesn’t absolve your business from taking its share of responsibility from a legal, commercial, and ethical standpoint.

It’s hard (and for some, impossible) to recover from a massive fine, the sense of betrayal experienced by your customers when their data is sold off to the highest bidder, or your employees are unable to work as every line of business application freezes. For days, weeks, and even months.

And yet, knowing this, only one out of every six organisations test whether their backup solutions work by restoring and verifying their data. So, when it comes to a ransomware attack, most businesses are still winging it when it comes to having backup that works.

Unicorn or not, the only certainty in life for today’s businesses is the importance of weathering that inevitable cyber storm. And that includes ensuring you have:

  1. Reliable, innovative, industrial-strength cybersecurity solutions
  2. A well-understood, committed and tested cyber resiliency strategy

Feel free to talk to us if you’re unsure about either. We’ll even throw in some love and rainbows.

Written in partnership with Veeam.

Zero trust given. And why that’s a good thing for hybrid cloud environments. 

While it makes perfect sense to push your workloads to the public cloud, especially if they can be moved into SaaS environments, this doesn’t work for all legacy workloads. This is why we continue to see – and advocate – hybrid cloud environments.  

For many organisations juggling workloads is not a matter of taking a cloud-first approach but opting for cloud-fit instead. This involves finding the ideal cloud environment for each workload. One that’s cost-effective and ticks all the security boxes.  

But this is when it gets tricky. If you’re taking a cloud-fit approach, how do you ensure cyber resiliency across all your platforms? And what happens when your data is moving between those platforms? 

Data breach statistics aren’t getting any prettier, with a 26% increase in notifiable data breaches to OAIC in the latter half of 2022. Which is where zero trust comes to the fore.  

But first, let’s back up a bit – what is zero trust, why is it the hot new approach, and how do you get some? 

Trust no one, question everything 

Two of the best cybersecurity rules to live by are: 1. Trust no one. 2. Question everything. And those rules, in a nutshell, are the key to zero trust.  

Zero trust takes distrust of and questioning your users to a whole new level – but this is a good thing. Regardless of whether they’re inside or outside of your network, users are subjected to authentication, authorisation, and continuous validation for security configuration and posture. Only when they pass these conditions with flying colours are they a) granted access or b) allowed to have continued access to your applications and precious data.  

Importantly to those who have gone the cloud-fit route, zero trust assumes that there is no traditional network edge. So, networks can be local, in the cloud, or a combination or hybrid with resources anywhere, as well as users in any location. Regarded as ‘perimeterless security’ (just think of networks without borders!), the zero-trust security model is also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA). 

And while it’s so hot right now, zero-trust isn’t actually new. (You might like to check out this excellent article on the history of zero-trust here on TechTarget.) However, it is the way to go.  

In a 2022 Forrester Opportunity Snapshot, the renowned researcher reports that 83% of Australian and New Zealand firms say zero trust is the future of their organisation’s security. And in tech news publisher VentureBeat’s article on zero-trust trends for 2022, they include zero-trust becoming the foundation of more hybrid cloud integrations as one of the big four trends to watch out for.  

So, how and where do you get started? 

It’s all about leadership 

It’s important to remember that zero trust is a philosophy, not a product. And like most philosophies, it can take some effort to get everyone on the same page.
  
To quote John Engates, Field CTO for Cloudflare:

“To get zero trust across the finish line, some companies may appoint a zero trust officer. Showing leadership, demonstrating how important it is to the organisation, putting someone in charge of getting to a zero trust stance is really critical. No matter how you demonstrate that to your stakeholders, it’s really critical for someone to stand up and say, ‘We’ve got to do better at this; we have to do it comprehensively across the entire organisation. And we have to do it soon because the threats aren’t getting easier to deal with.” 

In their Opportunity Snapshot, Forrester agrees, saying it’s critical to “be a leader and communicator, not a technician.” They report that 48% of zero trust leaders in Australia and New Zealand said “their stakeholders struggled to understand the business value of adopting a Zero Trust approach. Only 41% listened and understood stakeholders’ criticism or feedback, then worked through their issues with the Zero Trust team, and returned with a solution.” Forrester concludes that this poses a challenge as zero trust leaders thought the most important trait in their role was to be technical (52%), compared to being communicative (13%). 

Despite the challenges, Forrester says that these same zero trust firms reported a more empowered employee experience, with 74% reporting more flexibility to work from anywhere or on any networks, 61% were relieved of the burden of security responsibility through password-free authentication, and 27% enjoyed an increased choice to work with any device or programmes.  

So, where to start? 

Engates from Cloudflare is a fan of making the zero trust goal manageable by attacking it in bite-sized chunks. He says that the important thing is to “get started and get moving.” And we agree.  

To help you address the challenges created by the shift to cloud hosting, remote work, and other modernisation, Zerotrustroadmap.org provides an excellent step-by-step vendor-agnostic roadmap, complete with an implementation timeline.   

Or you’re welcome to just talk to us.  

In partnership with Cloudflare, a global leader in zero trust services.  

Cyber resiliency in a multi-cloud environment – how hard can it be?

When data security is ranked as the leading challenge facing organisations that access and maintain data in cloud environments (above cost, complexity and lack of expertise), you know there’s an issue.

It’s one thing to rely on the standard backup and recovery tools available from a public cloud service provider (CSP), but what happens when most Australian organisations use three public CSPs on average? How do you juggle using three sets of tools effectively?

In truth, we believe you can’t – and you shouldn’t. Not if you value your business, and your data.

Why aren’t public CSP in-built tools enough to ensure cyber resilience?

While turning to a CSP’s in-built tools may appear to be a logical and cost-effective decision, they tend to offer only a basic level of coverage against the global flood of cyber-attacks, data theft and application outages. In addition, CSP backup and recovery offerings cannot scale, fully protect, or provide you with a unified view of your data across all your cloud environments.

With cyber resilience the new business imperative, it’s not a matter of safety in numbers. Having three times the tools doesn’t equate to three times the protection. Taking a fragmented approach to protecting your multi-cloud environment increases the opportunity for gaps to form in your security, backup and recovery efforts. As a consequence, organisational and reputational risk goes up – not down.

More frequent use of CSP tools is also associated with more operational downtime related to outages, application failures, human error, and even natural disasters. Despite 53% of Australian organisations agreeing that relying solely on CSP backup and recovery tools puts their organisation at risk, 55% use CSP tools all the time.

The only way to confidentially mitigate the impact of costly assaults on your multi-cloud environment is through third-party protection.

When it comes to CSP responsibility, you don’t likely know what you don’t know

Perception is a wonderful thing. But unfortunately, while you’d imagine that your CSP is responsible for protecting your data, that’s not the case.

Digging into the fine print of your end-user licensing agreement usually unearths that the CSP is only responsible for protecting the infrastructure, and that you are entirely responsible for protecting your data and workloads in that cloud environment. So, the offer of standard backup and recovery tools doesn’t even begin to cover your back – and your data – in case of a cyberattack. Times three.

Even using Microsoft or Office 365 doesn’t guarantee that your data is backed up in the cloud. Office 365 takes a shared responsibility approach. While they may store it, it’s your responsibility to control and protect it.

In our recent paper (2022 Research Report on Securing Your Enterprise in a Multi-Cloud Environment), we identified that 96% of Australian organisations didn’t realise who was responsible for what.

This brings us to the big question…

How can you be cyber resilient if you don’t have a handle on your cloud environments?

When you follow best practices for backup, data protection and disaster recovery, you are more cyber resilient. Best practice includes having a “3-2-1” backup strategy – one primary backup and two additional copies of their data, using at least two different storage mediums, with at least one copy offsite.

Backup timing is also critical – and this depends on what you’ve identified as your RPO (recovery point objective). For example, if you’re only taking data snapshots every 12 hours, can you afford to be without that data from 11hrs 45mins ago? Mission-critical data that hasn’t been backed up for more than 12 hours is more likely to be permanently lost in case of a ransomware attack or server failure. Yet, only 10% of Australian organisations are committed to continuous data backup, while 45% back up their data less frequently than every 12 hours.

While that ‘may’ work for some businesses, it certainly doesn’t for others. A case in point is law practice Colin, Biggers & Paisley, who says, “Losing even an hour of productive time costs a firm a great deal, and legal work never stops. It’s around the clock.”

Colin, Biggers & Paisley are just one of many Australian organisations that opt for solutions like Veritas NetBackup to ensure they are actively cyber resilient across single or multi-cloud environments. Such is the reliability of their Veritas backup and disaster recovery system that Colin, Biggers & Paisley proudly present the results of their twice-yearly data backup and DR audits to potential clients as a benefit of engaging with them.

In partnership with

Is cyber resilience the new conversation starter?

While the phrase ‘may you live in interesting times’ is widely regarded as an ancient Chinese curse, it was, in fact, said in 1939 by the American politician Frederic R. Coudert.

But, given the last few years, we all appreciate the sentiment regardless of where it originated.

The curse of cybercrime

Yes, these are interesting – and challenging times. And as discussed in the latest (July 2021-June 2022) ASCSC Annual Cyber Threat Report, it’s been an increasingly steep learning curve for many individuals, businesses and public and private sector organisations.

Australia is far from alone in being subjected to an unrelenting barrage of cyber-attacks, but obviously, it’s very close to home for us. And Victoria and Queensland, in particular, have reported disproportionately higher cybercrime rates relative to population size.

In the period covered by the report, ACSC responded to over 1,100 cybersecurity incidents. The sharp-eyed may spot that this is a 36% decrease in reported incidents over the previous year. However, ASCS suggest that the growth of Australia’s commercial incident response sector means that incidents they may have previously responded to are now being handled internally or by contracted incident response teams.

The cost of cybercrime

According to ACSC, the average cost to cybercrime-impacted Australian businesses is significant:

  • For a small business with 1-20 employees, the average cost of an attack is $39,555
  • For a medium business with 20-199 employees, expect to lose $88,407
  • And those large businesses, with 200+ employees, should anticipate writing off $62,233

Yet, considering the significant damage that stolen data can cause, it’s surprisingly cheap to acquire if you’re on the dark side. Visual Capitalist recently shared a price list for dark web data.

While passports remain a high-end investment (US$3800), an NSW Driver’s License can be had for US$150, and an Australian credit card, complete with CVV, is a mere snip at US$23.

As Brad, in the cult classic movie The Rocky Horror Picture Show, observed: “Life’s pretty cheap to that type.”

The hot cybercrime critical infrastructure sectors

ACSC says that 75% of all reported cybersecurity incidents in the 2021-2022 financial year were from the top 10 reporting sectors. Probably to their great relief, the retail sector is no longer part of that top 10, having been ousted by the electricity, gas, water and waste service sector.

The top three sectors under attack are the Commonwealth Government, which reported 24% of all incidents, followed by State/Territory/Local Government with 10% (although it must be noted that government sectors do have additional and more rigorous reporting obligations), and Health Care and Social Assistance at 9%.

The remaining seven top 10 sectors range from telecommunications to education, construction to manufacturing, and financial services to electricity, gas, water and waste services.

This ‘hot’ top 10 list makes the Australian Government’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 even more relevant and timely. It places further security obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry – and their data centre and cloud service providers.

Notably, the bill not only aims to protect critical infrastructure organisations from cyberattacks but to enable rapid recovery through cyber resiliency.

And what about business email compromise?

ACSC’s new annual report also focuses on the highly lucrative area of BEC (business email compromise), and with good cause.

BEC is a strategy used by malicious actors to compromise organisations via email to scam businesses out of money or goods and trick employees into revealing confidential business information. And it’s also an entry point for malicious actors to move their focus to higher-value targets within business or organisation networks. A single compromised employee email can lead to a significant ransomware attack.

While ACSC says the number of BEC attacks declined in the 2021-2022 period, the average loss incurred per successful BEC increased to an Australian average of over $64,000. Unfortunately for Western Australians, their higher-than-average loss was $112,000 per report.

Property settlements have been a popular target due to the high value of transactions. You may remember the high-profile case of MasterChef contestant Dani Venn who lost (then thankfully recovered) $250,000 when PEXA (Property Exchange Australia), the online conveyancing giant, was hacked. This 2018 case was a wake-up call for many.

Ransomware: Here, there, and everywhere

Ransomware attacks were both high-profile and ubiquitous over the 2021-2022 period, reports ACSC. No sector was left untouched. Reported attacks were down, but ACSC states that it’s likely that they were significantly under-reported as victims instead chose to pay the ransom in an effort to return to a business-as-usual state ASAP.

The top five sectors under attack included education and training, information media and telecoms, State/Territory/Local Government and Health Care and Social Assistance.

Why does this all make cyber resilience a more important conversation than ever before?

We’ve discussed cyber resilience before. It’s something we’re passionate about. And at the risk of repeating ourselves (and if you don’t have time to read our earlier blog), here’s a quick recap of the difference between cybersecurity and cyber resilience:

Cybersecurity is how you protect your electronic data. It encompasses the processes, best business practices and technology solutions you put in place to safeguard your systems and network.

Cyber resiliency is your ability to prepare for, respond to, and recover from a cyberattack. If you’re cyber resilient, you’re better equipped to defend your organisation from attack, limit the impact on your systems and data, and continue working during and after an attack.

Cyber resiliency isn’t a conversation that will go away anytime soon. And nor should it.

ACSC has taken the topic seriously with initiatives like AquaEx (a national cyber security exercise series in partnership with Australia’s urban water and wastewater sector and government agencies), which have helped participating industries and government to work together to strengthen cyber resilience across Australia.

And following the Federal Court of Australia finding that financial planning company RI Advice has breached its financial services license by having inadequate cybersecurity risk management systems, ACSC said: “…it is a strong reminder that company boards should consider cyber resilience as part of their statutory responsibilities.”

Finally, ACSC says, and we quote, that “Australia’s best defence in a rapidly evolving cyber threat environment is to build resilience across businesses and organisations, and among individuals.”

And we couldn’t agree more.

Cyberattacks: The dynamic duo of business continuity and cyber resiliency to the rescue

What two things happen when you leave your business open to cyberattacks?


The first is that your cyber-risk management strategy, technology and processes are called into question by your stakeholders, customers and the Australian government. And if found wanting, you could face severe consequences, financial and otherwise.


The second is that your business may simply not bounce back. It may lack the resilience and customer loyalty needed to recover from the damage done by a cyberattack (and this is assuming you’re lucky enough only to be targeted once). According to Gemalto’s study of 10,000 global consumers, when a company suffers a data breach and their privacy is compromised, more than 70% will stop using the service.


However, let’s look at these two scenarios a little more closely. Then discuss how to offset them.

The compliance consequences (and you are right to be scared)


The Australian Securities and Investments Commission (ASIC) takes its role as a watchdog and enforcer of risk management very seriously. They’ve launched and completed significant civil penalty proceedings in the Federal Court against both the unwary and the ill-prepared.


If you think it couldn’t or wouldn’t happen to you, then think again. After all, as a business, you are legally required to comply with ASIC’s strict legal, regulatory, and contractual cyber security and resilience obligations, and data breaches are a legally notifiable occurrence.


Two recent local cases bring home the everyday reality of not adequately protecting your people, customers, and technology.

The eye-watering cost of failing to manage cyber risk


Case 1 (done and dusted): In May 2022, one organisation’s failure to manage their cyber security appropriately, which resulted in repeat breaches, attracted a $750,000 penalty. That’s a considerable amount to try to recoup, and for many businesses, the fine alone, without the subsequent loss of customer loyalty, would be a death blow.

This financial services licensee was taken to task following a significant number of cyber incidents between June 2014 and May 2020. In one of the incidents, says ASIC, ‘an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.’ Ouch.


ASIC Deputy Chair Sarah Court said “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.


Case 2 (currently in the hot seat): In July 2022, ASIC held a fund services organisation to account for ‘multiple failures to meet the obligations of its Australian financial services licence, including a failure to meet organisational competence requirements.’


ASIC’s allegations include that the organisation failed to ‘have in place adequate risk management systems’ or to ‘have adequate resources (including financial, technological, and human resources) to provide the financial services and carry out supervisory arrangements.’

In this case, ASIC is seeking:

  • Declarations and pecuniary penalties from the Court.
  • An order for an independent expert to be appointed to review and report on the organisation’s systems, processes and controls.
  • A requirement for the organisation to implement a risk management and compliance program once the report is received.

The date for the case management hearing for this instance is yet to be scheduled by the Court. But, if found liable, you can be sure that the resulting fine will result in a sharp intake of breath (and perhaps even a few tears) when announced. And the fallout from the loss of customer loyalty could be even more devastating.

So, if you’re not yet sitting up and taking notice of how you manage your cybersecurity risk by now, perhaps you should be. Because if it can happen to them, it can happen to you.

Can you recover? (Clue: Preparation, not cure)

Now, we sincerely hope you won’t ever be impacted by a cyberattack. But the sad statistical reality is that you are more than likely to be.

The World Economic Forum currently ranks cybersecurity failure as one of the top ten risks in terms of likelihood of occurrence. Frighteningly, if you are classified as a small business, one in eight of you won’t recover, ever. All of which makes cyber resilience and recovery a board-level priority, along with business continuity.

As part of their Annual Cyber Threat Report 2020-21, the Australian Cyber Security Centre (ACSC) offered this wise advice: “While the costs of impacts are difficult to quantify, the costs of remediation for a cybercrime or cyber security incident can be far greater than early and ongoing investment in prevention.

We’d like ACSC to add ‘and cyber resilience’ to the end of that comment.

Your ability to be cyber resilient and recover to a business-as-usual state as quickly as possible is as essential as having the right cyber security solutions in place. It must be said, ASIC is also a big advocate of this approach, freely providing excellent information on good cyber resilience practices.

And to clarify up front, remember that cybersecurity and cyber resilience are not the same. So, here’s a quick recap of how they differ:

  • Cybersecurity is how you protect your electronic data. It encompasses the processes, best business practices and technology solutions that you put in place to safeguard your systems and network.
  • Cyber resiliency is your ability to prepare for, respond to, and recover from a cyberattack. If you’re cyber resilient, you’re better equipped to defend your organisation from attack, limit the impact on your systems and data, and keep on working during and after an attack.

Where and why does business continuity come into it?

Having an effective cyber business continuity plan is vital to the ability of your organisation to be cyber resilient. A business continuity plan and cyber resilience don’t work in isolation from one another but walk side by side as a team. Think Batman and Robin.

Your cyber business continuity plan guides you through the practicalities of survival at the moment of impact, and gets you out the other side, perhaps a little bruised – but alive and kicking – by providing:

  • Clearly defined crisis management roles and responsibilities so everyone in the organisation knows exactly what they have to do and can simply get on with it – like a well-practised fire drill.
  • A detailed IT security crisis communication plan and processes that outline all reactive measures and control efforts, so you don’t have to second guess ‘what next?”.
  • The incident response actions needed to keep your data safe (and to make sure you don’t accidentally open your business up to a data breach while distracted by a disruption!).
  • An up-to-date checklist of all IT-dependent applications, like your website and intranet, social media accounts, shared drives and collaboration platforms, and all your IT assets.
  • And lastly, those all-important how-to instructions for secure access, security workarounds, and fail-safe backup systems ensure you have access (and can keep working) throughout the disruption.

Reducing the burden of risk management

As the cost and frequency of data breaches continue to rise, maintaining a tight focus on cyber resilience and business continuity is key to survival and ensuring legal compliance.

We believe that although the deluge of cybercrime can appear daunting, with robust, intelligent cybersecurity solutions and a top-down cyber resiliency strategy, we will all hold our own.

Get in touch for a Free, No‑Obligation Consultation

Arrange a chat with our experienced team to discuss your data protection, disaster recovery, cloud or security requirements.

  • Arrange an introductory chat about your requirements
  • Gain a proposal and quote for our services
  • View an interactive demo of our service features

Prefer to call now?
Sales and Support
1300 88 38 25

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

Hidden
This field is for validation purposes and should be left unchanged.

© 2021 Global Storage. All rights reserved. Privacy Policy Terms of Service

The Global Storage website is accessible.

Download
Best Practices For Backing Up Microsoft 365

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.

Download
5 Myths About Backing Up Microsoft 365 Debunked

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.