Why Data Governance Risk & Compliance is a risky business. And what you can do about it.

While Data GRCaaS (Data Governance Risk and Compliance as a Service) may sound like yet another incomprehensible IT acronym to many, it’s likely to greatly interest those in your business responsible for managing risk. They know exactly how important GRC is to the well-being of your business and its future.

Non-compliance with data protection regulations is both risky and expensive. It can cost dearly in terms of reputation and financial penalties that few can recover from. One such example is the Medibank data breach of 2022. The Office of the Australian Information Commissioner (OAIC) has started court proceedings against Medibank for failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988. If the prosecution is successful, the maximum civil penalty order theoretically available under the Privacy Act, in this case, is an unimaginable AU$ 21.5 trillion. It’s unlikely that this magnitude of fine will be awarded, but it signals how seriously OAIC takes this case – and the importance of GRC.  

But let’s back up a bit first and define Governance Risk and Compliance (GRC) and why it’s relevant to your data.

A (very quick) guide to GRC

Governance, Risk, and Compliance (GRC) is a structured approach used by organisations to align their IT and business goals while managing any risks. It helps to ensure compliance with regulations and maintain effective governance practices.

In plain language:

  • The Governance part refers to the framework of rules, processes, and practices your organisation follows. It encompasses establishing policies, taking accountability for meeting those policies, and overseeing your business performance.
  • The Risk aspect is all about the focus on identifying, accessing, and managing risks that could impact your ability to achieve your objectives. It includes risk management strategies and practices to mitigate potential threats (for example, cyber threats).  
  • And the Compliance part is the process of making sure you follow the letter of the law and adhere to both external regulations and your own internal policies. This includes monitoring and reporting on any compliance-related issues and ensuring your business meets its legal and ethical standards.

So, what’s Data GRC?

In adding Data to the GRC mix, the focus moves quite specifically to the areas of risk associated with data, like uncontrolled or illegal data access, exposure to data breaches, cyberattacks, and insider threats.

Safeguarding your data (and handling the ‘what comes next’) presents a unique set of challenges and adds still more layers of complexity to your GRC initiatives. Given the dynamic nature of cybercrime and the increasingly heavy fines for those who fail to protect their data, it’s a genuine worry for most businesses. And managing it internally, without expert and dedicated resources who have the time and knowledge to monitor, manage and protect your data 24/7, comes with its risks.

What are some of the everyday data risks we’re talking about?

  1. The effort of keeping up and responding to ever-evolving legal, industry, and internal requirements regarding how you protect your data, what you must do in case of a breach, and by when.
  2. Being blindsided by an incomplete view of your data.
  3. Slow response at times of need with manual remediation processes for mitigating risks.
  4. The struggle to implement and maintain a zero-trust security posture to help strengthen your security posture and compliance initiatives.
  5. Without an audit trail, you have no idea who has accessed, deleted, created, or moved your data.
  6. The inability to identify, prioritise, and address data security needs in real time (before it’s too late).

What is Data GRCaaS?

Data GRCaaS uses a service-based modular strategy designed to help you safeguard your data and ensure it is managed according to an agreed data compliance framework. And because the service is cloud-based and therefore scalable (and supported by industry-leading best practices and committed resources), it replaces the costly in-house infrastructure and experts you’d need to do the same job. It works across your entire environment – on-prem, cloud, or hybrid.

In real-world terms, what’s in it for you? How will it improve your GRC? Let’s take a look.

How does Data GRCaaS deliver on your compliance wish list?

Regulatory compliance is at the top of the GRC list. The good news is that if you need to comply with and report on data standards like SOCI, ACSC ISM, GDPR, PCI, HIPAA, HITECH, SEC, SOX, CJIS, CMMC, or PIPEDA in addition to your internal policies, you’re covered. With Data GRCaaS, you can’t slip up.

Data GRCaaS allows you to get to grips with your data. You’ll be able to discover, identify, classify, and label your sensitive data at scale in preparation for implementing DLP (data loss prevention). And this is a very good thing; DLP solutions help you protect your critical information, whether stored on endpoints, in the cloud, or in transit. Deep integration with Microsoft means it will also identify and categorise sensitive information in your emails, Teams, and SharePoint and pick up any unauthorised data exposure or behaviours. You’ll also save money with your newfound ability to identify stale data and decide if it can be archived or deleted – driving down your data storage costs.

You’ll also improve your security posture. Data GRCaaS will help you mitigate against the risk of data breaches, cyberattacks, and insider threats by adopting a Zero-Trust or least-privilege approach. Other compliance improvements include managing your permissions and understanding who is accessing, deleting, creating, and moving data – so you have control and visibility.

Peace of mind (and this can’t be overstated in terms of importance for those responsible for your GRC). A Data GRCaaS solution will mitigate your risk when it comes to data breaches, cyberattacks, and insider threats. It will also identify and action file-level security breaches as they happen. This includes insider threats, malware, and ransomware.

Lastly, your back is covered 24/7. Data GRCaaS is supported by real people who continuously oversee the management, reporting, and remediation of your data security, governance, and compliance risks – day in and day out.

What next?

With Data GRCaaS, you’ll be able to understand and remediate against industry-relevant data risks by type, sensitivity, regulation, risk, policy, and more. And we guarantee that’s going to make a lot of people happy and better able to sleep at night.

Beyond backup: The compelling case for data resilience

Thinking that simply backing up your data will save the day is a shortsighted strategy with little or no place in today’s world. Because when it happens – that inevitable cyberattack or natural disaster – you’ll find that just having a copy of your data is far from enough.

And if you have a hybrid cloud environment, with data sprawled across myriad locations and platforms, then you assuredly need more than just backups to save your bacon.

If you haven’t yet developed a data resilience strategy, there’s no time to waste. The latest Notifiable Data Breaches Report from the Office of the Australian Information Commissioner revealed a rapid rise nationwide in notifiable data breaches in the first six months of 2024.

At the risk of sounding like a broken record, we once again say: It’s no longer a matter of if (you’re attacked), but when.

Backup vs. data resiliency

Just so there’s no confusion:

Should you be creating backups? Obviously – that’s a yes. Backing up your data is essential for data recovery – but it’s a reactive approach, a pink band-aid applied after the accident in the hope that it will hasten recovery. Yes, backups restore your lost data. But they won’t prevent you from losing it in the first place, and the post-disaster backup process can lead to significant downtime, as your systems may need to be taken offline to restore data.

By comparison, data resilience is a proactive approach. It focuses on preventing data loss and ensuring continuous availability. So, when disaster strikes (as it will), your business can keep running, downtime is minimised, and data integrity is maintained.

In short, if you’re not thinking about data resilience, you’re not thinking far enough ahead.

What does disaster look like?

What happens to your business when you experience a natural disaster or cyber-attack? Why can this sort of event stop your people and operations in their tracks?

Here’s what can happen:

  1. Operational systems out of commission: Your core business applications and systems may become inaccessible, halting production, sales, or service delivery. Everything you rely on to run a business is in ‘off’ mode.  
  2. Employee productivity plummets: Your staff may be unable to perform their tasks effectively, leading to decreased productivity, frustration, fear, and low morale.
  3. No access to data: Being unable to access essential data, including customer information, financial records, and operational data, can severely impact your decision-making and operations.
  4. You can’t communicate: Your communication tools (think email, messaging platforms, etc.) can be compromised. Your team members can’t talk to each other, let alone to your customers and suppliers.
  5. Disrupted financial transactions: Your payment processing systems may be disrupted, preventing sales and impacting your cash flow.
  6. Zero customer service: If your customer support systems go down, it’s a red flag for your customer relationships. Few customers are impressed with delayed responses to their queries and requests for help and are fast to change loyalties.
  7. You can quickly get a bad rep. Trust can be rapidly eroded if customers learn of the breach, leading to potential loss of business and reputation damage.
  8. Failed regulatory compliance: Your compliance with data protection laws may be at risk, resulting in legal consequences and significant fines.
  9. Disrupted supply chains: If your suppliers or partners are affected, it may disrupt your supply chain, impacting inventory and delivery.
  10. The cost of recovery: Then, there’s the financial burden of remediation efforts, including IT forensics, system repairs, and potential legal fees. All of which can place a heavy strain on your people and your bank balance.

Given the potential impact on your business, relying on backups to dig you out of the deep hole of disaster is highly optimistic.

Data resilience – a holistic approach

Data resilience is about ensuring business continuity. It’s accepting that the impact of an attack can be wide and varied and that just restoring data via back-ups isn’t going to be enough to get you back in business.

Don’t get us wrong – backups are essential (and play an important role in a data resilience approach) – but they’re only part of the picture. Big-picture data resilience also encompasses recovery, redundancy, disaster recovery (DR) planning and cybersecurity. And it requires you to implement measures that ensure data availability, integrity, and security even in the face of unexpected events to minimise data loss and maintain business continuity.

Adopting a data resilience strategy can help your business pre-, during-, and post-incident in three ways.  

  1. It enables you to better withstand a cyber-attack.
  2. If you’re already impacted, it helps you to access your most important data and applications despite network disruptions or failures.
  3. It supports your rapid recovery and return to BAU.

How about data resiliency in a hybrid or multi-cloud environment?

Security and recovery are not assured simply because you’re in the cloud – whether public or private. And scarily, backup repositories are targeted in 96% of attacks, with bad actors ‘successfully’ affecting those repositories in 76% of cases.

If you count yourselves amongst the 89% of organisations with a multi-cloud strategy, you’re probably well aware of the challenges of backing up in the cloud. Legacy systems don’t deliver; relying on native backup tooling for each environment both fragments ease of management and crates inefficiencies and higher costs; and some first-party vendor solutions restrict flexibility and compromise performance, which drives up costs.

However, as said earlier, just investing in backup (no matter how good) on its own is a shortsighted strategy. Achieving data resilience requires your backup and cybersecurity teams to be aligned. To quote Veeam’s 2024 Ransomware Trends Report, “Recovery from a ransomware attack is a team sport.”

Yet most organisations struggle with this alignment, with 63% saying they need a complete overhaul or significant improvement to be fully aligned.

When asked why their teams weren’t better aligned, the most common answer (by respondents to Veeam’s report) was “a lack of integration between backup tools and cybersecurity tools.”

Summary

It’s been said that backup is easy, but recovery is hard – especially if you’re relying on your saved data to do more than it was ever intended. And with the rate at which we generate data and the increasing complexity of our technology environments, ‘hard’ isn’t a word that any of us want to hear.

A data resilience strategy that utilises integrated backup and cybersecurity tools is essential to survive D-day.

Whether it’s your first, tenth, or hundredth attack, you need to be able to face every event with the confidence that you will come out the other side with your data and business intact. Resilient to the end.

Chicken or egg: Cyber resistance vs cyber resilience

In a digital world where data is the new ‘everything’, it’s unsurprising that it has become a prime target for criminals. Data is the modern-day equivalent of a stash of gold bullion – and it can be stolen, ransomed, and sold for profit with less effort and risk than a bank heist.

The unrelenting waves of global cyberattacks mean that the cost of business survival is escalating – with the cost of cyberattacks doubling between 2022 and 2023. To combat this, Infosecurity Magazine reports that 69% of IT leaders saw or expected cybersecurity budget increases of between 10 and 100% in 2024.

The cost of crime

At the pointy end of the problem, organisations face damaged or destroyed data, plundered bank accounts, financial fraud, lost productivity, purloined intellectual property, the theft of personal and financial data, and more.

The blunt end is no less damaging. There’s the cost of recovering data, rebuilding your reputation, and getting your business back to a state of BAU as soon as possible, as well as the hefty price tag that comes with forensic investigation, restoring and deleting hacked data and systems, and even prosecution

Generative AI to the cyber-rescue?

Many see the rise of generative AI and expansion into hybrid and multi-cloud environments as the means to alleviate the ongoing attacks. But, of course, the democratisation of generative AI (in other words, goodies and baddies have equal access to its powers) means that potential risks are also heightened.

Despite this, it’s hard to overcome the optimism that generative AI will be a cyber-saviour. According to Dell Technologies 2024 Global Data Protection Index (APJ Cyber Resiliency Multicloud Edition), 46% of responders believe that generative AI can initially provide an advantage to their cyber security posture, and 42% are investing accordingly.  

But here’s the rub: 85% agree that generative AI will create large volumes of new data that will need to be protected and secured. So generative AI will, by default, (A) potentially offer better protection and (B) increase the available attack space due to data sprawl and unstructured data.

Resistance vs resilience

Of the APJ organisations (excluding China) that Dell surveyed, 57% say they’ve experienced a cyberattack or cyber-related incident in the last 12 months.

And a good 76% have expressed concern that their current data protection measures are unable to cope with malware and ransomware threats. 66% say they’re not even confident that they can recover all their business-critical data in the event of a destructive cyber-attack.

So why, if 66% of organisations doubt their ability to recover their data, are 54% investing more in cyber prevention than recovery?

Can you separate the cyber chicken from the egg?

In a recent cybersecurity stats round-up, Forbes Advisor reported that in 2023, there were 2,365 cyberattacks impacting 343 million victims.

Given the inevitability of cyberattack, it’s critical that your methods of resistance are robust, and if disaster strikes, your ability to recover is infallible.

Look at it this way: While a cruise liner obviously must have radar to detect and try and avoid approaching icebergs, angry orcas, and other collision-prone objects, it’s just as important that they have lifeboats, lifeboat drills, lifejackets, and locator devices available to minimise loss of life and keep everyone afloat.  

In the words of Harvard Business Review: “Simply being security-conscious is no longer enough, nor is having a prevention-only strategy. Companies must become cyber-resilient—capable of surviving attacks, maintaining operations, and embracing new technologies in the face of evolving threats.”

So, how do you bolster your cyber resilience?

According to Dell, 50% of the organisations they surveyed have brought in outside support (including cyber recovery services) to enhance cyber resilience.

While AI will undoubtedly introduce some initial advantages, as suggested earlier, those could be quickly offset as cybercriminals leverage the very same tools. Not only are traditional system and software vulnerabilities under attack, but due to the sprawl of AI-generated data, there are more and newer opportunities.

So – can we rely on generative AI to save the day? Probably not – or not yet anyway. What about outside help? Yes, most definitely. However, cyber resilience begins at home, with a top-down strategy based on some inarguable facts:  

  1. Attacks are inevitable. Once you accept that this is the new reality of the digital age, the logical next step is to develop a clear, holistic strategy focusing on business continuity and crisis planning.
  2. People are the first and best line of defence. Ensure your entire organisation takes responsibility and is cyber-aware – to the extent that your procedures are included in your company policies and onboarding processes.  This should include delivering ongoing cyber awareness training and introducing regular drills.
  3. When disaster strikes, survival is in your hands. Establish clear cybersecurity governance that aligns with your business objectives. Everyone in the organisation should know what they need to do to protect the organisation, its data, and its clients and ensure continuity of operations.  
  4. No one is trustworthy. Assume everything around your network is a potential threat. Adopt a zero-trust mindset that requires continual verification and rigidly controls access based on preset policies.  
  5. What you don’t know can hurt you. The ability to detect and prevent threats is critical. Invest in Security as a Service to provide visibility into your data, regardless of where it’s located, so that you can see and address your weaknesses.
  6. Disaster will strike. We live in unexpected times, where cybercrime and unprecedented natural disasters conspire to stop us in our tracks. With cloud-basedDisaster Recovery as a Service, the risk of permanently losing data and disrupting business as usual is significantly reduced.

Cyber resiliency in a multi-cloud environment – how hard can it be?

When data security is ranked as the leading challenge facing organisations that access and maintain data in cloud environments (above cost, complexity and lack of expertise), you know there’s an issue.

It’s one thing to rely on the standard backup and recovery tools available from a public cloud service provider (CSP), but what happens when most Australian organisations use three public CSPs on average? How do you juggle using three sets of tools effectively?

In truth, we believe you can’t – and you shouldn’t. Not if you value your business, and your data.

Why aren’t public CSP in-built tools enough to ensure cyber resilience?

While turning to a CSP’s in-built tools may appear to be a logical and cost-effective decision, they tend to offer only a basic level of coverage against the global flood of cyber-attacks, data theft and application outages. In addition, CSP backup and recovery offerings cannot scale, fully protect, or provide you with a unified view of your data across all your cloud environments.

With cyber resilience the new business imperative, it’s not a matter of safety in numbers. Having three times the tools doesn’t equate to three times the protection. Taking a fragmented approach to protecting your multi-cloud environment increases the opportunity for gaps to form in your security, backup and recovery efforts. As a consequence, organisational and reputational risk goes up – not down.

More frequent use of CSP tools is also associated with more operational downtime related to outages, application failures, human error, and even natural disasters. Despite 53% of Australian organisations agreeing that relying solely on CSP backup and recovery tools puts their organisation at risk, 55% use CSP tools all the time.

The only way to confidentially mitigate the impact of costly assaults on your multi-cloud environment is through third-party protection.

When it comes to CSP responsibility, you don’t likely know what you don’t know

Perception is a wonderful thing. But unfortunately, while you’d imagine that your CSP is responsible for protecting your data, that’s not the case.

Digging into the fine print of your end-user licensing agreement usually unearths that the CSP is only responsible for protecting the infrastructure, and that you are entirely responsible for protecting your data and workloads in that cloud environment. So, the offer of standard backup and recovery tools doesn’t even begin to cover your back – and your data – in case of a cyberattack. Times three.

Even using Microsoft or Office 365 doesn’t guarantee that your data is backed up in the cloud. Office 365 takes a shared responsibility approach. While they may store it, it’s your responsibility to control and protect it.

In our recent paper (2022 Research Report on Securing Your Enterprise in a Multi-Cloud Environment), we identified that 96% of Australian organisations didn’t realise who was responsible for what.

This brings us to the big question…

How can you be cyber resilient if you don’t have a handle on your cloud environments?

When you follow best practices for backup, data protection and disaster recovery, you are more cyber resilient. Best practice includes having a “3-2-1” backup strategy – one primary backup and two additional copies of their data, using at least two different storage mediums, with at least one copy offsite.

Backup timing is also critical – and this depends on what you’ve identified as your RPO (recovery point objective). For example, if you’re only taking data snapshots every 12 hours, can you afford to be without that data from 11hrs 45mins ago? Mission-critical data that hasn’t been backed up for more than 12 hours is more likely to be permanently lost in case of a ransomware attack or server failure. Yet, only 10% of Australian organisations are committed to continuous data backup, while 45% back up their data less frequently than every 12 hours.

While that ‘may’ work for some businesses, it certainly doesn’t for others. A case in point is law practice Colin, Biggers & Paisley, who says, “Losing even an hour of productive time costs a firm a great deal, and legal work never stops. It’s around the clock.”

Colin, Biggers & Paisley are just one of many Australian organisations that opt for solutions like Veritas NetBackup to ensure they are actively cyber resilient across single or multi-cloud environments. Such is the reliability of their Veritas backup and disaster recovery system that Colin, Biggers & Paisley proudly present the results of their twice-yearly data backup and DR audits to potential clients as a benefit of engaging with them.


In partnership with

Is cyber resilience the new conversation starter?

While the phrase ‘may you live in interesting times’ is widely regarded as an ancient Chinese curse, it was, in fact, said in 1939 by the American politician Frederic R. Coudert.

But, given the last few years, we all appreciate the sentiment regardless of where it originated.

The curse of cybercrime

Yes, these are interesting – and challenging times. And as discussed in the latest (July 2021-June 2022) ASCSC Annual Cyber Threat Report, it’s been an increasingly steep learning curve for many individuals, businesses and public and private sector organisations.

Australia is far from alone in being subjected to an unrelenting barrage of cyber-attacks, but obviously, it’s very close to home for us. And Victoria and Queensland, in particular, have reported disproportionately higher cybercrime rates relative to population size.

In the period covered by the report, ACSC responded to over 1,100 cybersecurity incidents. The sharp-eyed may spot that this is a 36% decrease in reported incidents over the previous year. However, ASCS suggest that the growth of Australia’s commercial incident response sector means that incidents they may have previously responded to are now being handled internally or by contracted incident response teams.

The cost of cybercrime

According to ACSC, the average cost to cybercrime-impacted Australian businesses is significant:

  • For a small business with 1-20 employees, the average cost of an attack is $39,555
  • For a medium business with 20-199 employees, expect to lose $88,407
  • And those large businesses, with 200+ employees, should anticipate writing off $62,233

Yet, considering the significant damage that stolen data can cause, it’s surprisingly cheap to acquire if you’re on the dark side. Visual Capitalist recently shared a price list for dark web data.

While passports remain a high-end investment (US$3800), an NSW Driver’s License can be had for US$150, and an Australian credit card, complete with CVV, is a mere snip at US$23.

As Brad, in the cult classic movie The Rocky Horror Picture Show, observed: “Life’s pretty cheap to that type.”

The hot cybercrime critical infrastructure sectors

ACSC says that 75% of all reported cybersecurity incidents in the 2021-2022 financial year were from the top 10 reporting sectors. Probably to their great relief, the retail sector is no longer part of that top 10, having been ousted by the electricity, gas, water and waste service sector.

The top three sectors under attack are the Commonwealth Government, which reported 24% of all incidents, followed by State/Territory/Local Government with 10% (although it must be noted that government sectors do have additional and more rigorous reporting obligations), and Health Care and Social Assistance at 9%.

The remaining seven top 10 sectors range from telecommunications to education, construction to manufacturing, and financial services to electricity, gas, water and waste services.

This ‘hot’ top 10 list makes the Australian Government’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 even more relevant and timely. It places further security obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry – and their data centre and cloud service providers.

Notably, the bill not only aims to protect critical infrastructure organisations from cyberattacks but to enable rapid recovery through cyber resiliency.

And what about business email compromise?

ACSC’s new annual report also focuses on the highly lucrative area of BEC (business email compromise), and with good cause.

BEC is a strategy used by malicious actors to compromise organisations via email to scam businesses out of money or goods and trick employees into revealing confidential business information. And it’s also an entry point for malicious actors to move their focus to higher-value targets within business or organisation networks. A single compromised employee email can lead to a significant ransomware attack.

While ACSC says the number of BEC attacks declined in the 2021-2022 period, the average loss incurred per successful BEC increased to an Australian average of over $64,000. Unfortunately for Western Australians, their higher-than-average loss was $112,000 per report.

Property settlements have been a popular target due to the high value of transactions. You may remember the high-profile case of MasterChef contestant Dani Venn who lost (then thankfully recovered) $250,000 when PEXA (Property Exchange Australia), the online conveyancing giant, was hacked. This 2018 case was a wake-up call for many.

Ransomware: Here, there, and everywhere

Ransomware attacks were both high-profile and ubiquitous over the 2021-2022 period, reports ACSC. No sector was left untouched. Reported attacks were down, but ACSC states that it’s likely that they were significantly under-reported as victims instead chose to pay the ransom in an effort to return to a business-as-usual state ASAP.

The top five sectors under attack included education and training, information media and telecoms, State/Territory/Local Government and Health Care and Social Assistance.

Why does this all make cyber resilience a more important conversation than ever before?

We’ve discussed cyber resilience before. It’s something we’re passionate about. And at the risk of repeating ourselves (and if you don’t have time to read our earlier blog), here’s a quick recap of the difference between cybersecurity and cyber resilience:

Cybersecurity is how you protect your electronic data. It encompasses the processes, best business practices and technology solutions you put in place to safeguard your systems and network.

Cyber resiliency is your ability to prepare for, respond to, and recover from a cyberattack. If you’re cyber resilient, you’re better equipped to defend your organisation from attack, limit the impact on your systems and data, and continue working during and after an attack.

Cyber resiliency isn’t a conversation that will go away anytime soon. And nor should it.

ACSC has taken the topic seriously with initiatives like AquaEx (a national cyber security exercise series in partnership with Australia’s urban water and wastewater sector and government agencies), which have helped participating industries and government to work together to strengthen cyber resilience across Australia.

And following the Federal Court of Australia finding that financial planning company RI Advice has breached its financial services license by having inadequate cybersecurity risk management systems, ACSC said: “…it is a strong reminder that company boards should consider cyber resilience as part of their statutory responsibilities.”

Finally, ACSC says, and we quote, that “Australia’s best defence in a rapidly evolving cyber threat environment is to build resilience across businesses and organisations, and among individuals.”

And we couldn’t agree more.

VMWare elevates Global Storage to Principal Partner

In further solidifying our relationship with VMWare, Global Storage has recently achieved Cloud Verified and Principal Partner status.

To become a Principal Partner we have demonstrated continued efforts in becoming an expert in VMware solutions and service, and have taken the necessary steps through Master Services Competency (MSC) achievement—or the equivalent—as well as demonstrated a growing company sales performance. Principal partners are the most qualified partners in VMware Partner Connect and with this distinction, they demonstrate a broad range of expertise and the ability to best serve their customers’ needs. 

As a Cloud Verified Partner you know that Global Storage will expertly deliver cloud infrastructure as a service—so your cloud strategy will be flexible and resilient today, tomorrow and for years to come. 

Global Storage is also the first Australian partner to have achieved the VMWare Disaster Recovery as-a-service certification. They are one of only six partners with this certification across Asia Pacific. 

Cyberattacks: The dynamic duo of business continuity and cyber resiliency to the rescue

What two things happen when you leave your business open to cyberattacks?


The first is that your cyber-risk management strategy, technology and processes are called into question by your stakeholders, customers and the Australian government. And if found wanting, you could face severe consequences, financial and otherwise.


The second is that your business may simply not bounce back. It may lack the resilience and customer loyalty needed to recover from the damage done by a cyberattack (and this is assuming you’re lucky enough only to be targeted once). According to Gemalto’s study of 10,000 global consumers, when a company suffers a data breach and their privacy is compromised, more than 70% will stop using the service.


However, let’s look at these two scenarios a little more closely. Then discuss how to offset them.

The compliance consequences (and you are right to be scared)


The Australian Securities and Investments Commission (ASIC) takes its role as a watchdog and enforcer of risk management very seriously. They’ve launched and completed significant civil penalty proceedings in the Federal Court against both the unwary and the ill-prepared.


If you think it couldn’t or wouldn’t happen to you, then think again. After all, as a business, you are legally required to comply with ASIC’s strict legal, regulatory, and contractual cyber security and resilience obligations, and data breaches are a legally notifiable occurrence.


Two recent local cases bring home the everyday reality of not adequately protecting your people, customers, and technology.

The eye-watering cost of failing to manage cyber risk


Case 1 (done and dusted): In May 2022, one organisation’s failure to manage their cyber security appropriately, which resulted in repeat breaches, attracted a $750,000 penalty. That’s a considerable amount to try to recoup, and for many businesses, the fine alone, without the subsequent loss of customer loyalty, would be a death blow.

This financial services licensee was taken to task following a significant number of cyber incidents between June 2014 and May 2020. In one of the incidents, says ASIC, ‘an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.’ Ouch.


ASIC Deputy Chair Sarah Court said “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.


Case 2 (currently in the hot seat): In July 2022, ASIC held a fund services organisation to account for ‘multiple failures to meet the obligations of its Australian financial services licence, including a failure to meet organisational competence requirements.’


ASIC’s allegations include that the organisation failed to ‘have in place adequate risk management systems’ or to ‘have adequate resources (including financial, technological, and human resources) to provide the financial services and carry out supervisory arrangements.’

In this case, ASIC is seeking:

  • Declarations and pecuniary penalties from the Court.
  • An order for an independent expert to be appointed to review and report on the organisation’s systems, processes and controls.
  • A requirement for the organisation to implement a risk management and compliance program once the report is received.

The date for the case management hearing for this instance is yet to be scheduled by the Court. But, if found liable, you can be sure that the resulting fine will result in a sharp intake of breath (and perhaps even a few tears) when announced. And the fallout from the loss of customer loyalty could be even more devastating.

So, if you’re not yet sitting up and taking notice of how you manage your cybersecurity risk by now, perhaps you should be. Because if it can happen to them, it can happen to you.

Can you recover? (Clue: Preparation, not cure)

Now, we sincerely hope you won’t ever be impacted by a cyberattack. But the sad statistical reality is that you are more than likely to be.

The World Economic Forum currently ranks cybersecurity failure as one of the top ten risks in terms of likelihood of occurrence. Frighteningly, if you are classified as a small business, one in eight of you won’t recover, ever. All of which makes cyber resilience and recovery a board-level priority, along with business continuity.

As part of their Annual Cyber Threat Report 2020-21, the Australian Cyber Security Centre (ACSC) offered this wise advice: “While the costs of impacts are difficult to quantify, the costs of remediation for a cybercrime or cyber security incident can be far greater than early and ongoing investment in prevention.

We’d like ACSC to add ‘and cyber resilience’ to the end of that comment.

Your ability to be cyber resilient and recover to a business-as-usual state as quickly as possible is as essential as having the right cyber security solutions in place. It must be said, ASIC is also a big advocate of this approach, freely providing excellent information on good cyber resilience practices.

And to clarify up front, remember that cybersecurity and cyber resilience are not the same. So, here’s a quick recap of how they differ:

  • Cybersecurity is how you protect your electronic data. It encompasses the processes, best business practices and technology solutions that you put in place to safeguard your systems and network.
  • Cyber resiliency is your ability to prepare for, respond to, and recover from a cyberattack. If you’re cyber resilient, you’re better equipped to defend your organisation from attack, limit the impact on your systems and data, and keep on working during and after an attack.

Where and why does business continuity come into it?

Having an effective cyber business continuity plan is vital to the ability of your organisation to be cyber resilient. A business continuity plan and cyber resilience don’t work in isolation from one another but walk side by side as a team. Think Batman and Robin.

Your cyber business continuity plan guides you through the practicalities of survival at the moment of impact, and gets you out the other side, perhaps a little bruised – but alive and kicking – by providing:

  • Clearly defined crisis management roles and responsibilities so everyone in the organisation knows exactly what they have to do and can simply get on with it – like a well-practised fire drill.
  • A detailed IT security crisis communication plan and processes that outline all reactive measures and control efforts, so you don’t have to second guess ‘what next?”.
  • The incident response actions needed to keep your data safe (and to make sure you don’t accidentally open your business up to a data breach while distracted by a disruption!).
  • An up-to-date checklist of all IT-dependent applications, like your website and intranet, social media accounts, shared drives and collaboration platforms, and all your IT assets.
  • And lastly, those all-important how-to instructions for secure access, security workarounds, and fail-safe backup systems ensure you have access (and can keep working) throughout the disruption.

Reducing the burden of risk management

As the cost and frequency of data breaches continue to rise, maintaining a tight focus on cyber resilience and business continuity is key to survival and ensuring legal compliance.

We believe that although the deluge of cybercrime can appear daunting, with robust, intelligent cybersecurity solutions and a top-down cyber resiliency strategy, we will all hold our own.

DRaaS is a Business Growth Strategy

Transformational changes, as we experienced in 2020, bring challenges and unforeseen business opportunities. Improving enterprises’ growth opportunities and ensuring business continuity are two areas where the cloud plays a vital role. Organizations that embrace the cloud transform into asset-light entities that are agile, more competitive and focused on the growth of their businesses. Cloud-based disaster recovery as a service (DRaaS) is the foundation of a sound business continuity strategy that keeps the company running, even in the aftermath of a disruptive event.

Enterprises with mature cloud adoption improved business resiliency and reliability as they reduced downtime by 58% and monthly critical incidents by 55% with cloud migration.1

Ride the waves?

It is always prudent to ride the waves of change than to fight them. New trends, including SaaS and IoT, have shifted enterprise data to the edge and the cloud. A recent IDC report found that only 30% of stored data is stored in internal data centers. It makes the most sense to have your backup applications near your data in the cloud.2

The rising cyberthreats serve as a constant reminder and a motivator for moving corporate data to the cloud to be better protected. Business continuity requires air-gapped backup copies that are readily available in the event of a disruption. DRaaS is the wise option for a full recovery and the lowest downtime.

Gartner predicted that cyberattacks were likely to impact one organization every 11 seconds by the end of 2021. Aside from being costly, breaches will damage an organization’s reputation and cause loss of customers and trust. Cyber-attacks tend to have a long tail, and their impact on enterprises lasts for years.3

DRaaS makes good business sense?

DRaaS is the most precious business insurance policy that one can find. The value of DRaaS is rarely appreciated until we need it, however it turns out that businesses need disaster recovery a lot. Gartner says 76% of organizations reported at least one incident in the past two years that required an IT DR plan.4 Let’s look at some of the business benefits of DRaaS:

  • Budget-friendly OpEx. The cloud model offers a utility consumption model where you pay for what you consume. The new model removes the expensive upfront CapEx investments and lowers operating expenses for simplified testing.
  • Free scarce IT resources. DRaaS frees IT teams to focus on more valuable business initiatives.
  • Maintain business continuity. Cloud-based backups are air-gapped and beyond bad actors’ reach, ensuring business continuity with the least disruptions.
  • Data protection. Cyberthreats are a constant danger that requires resources beyond IT teams’ abilities. About 81% of organizations consider security their top challenge.5
  • Continuous compliance. DRaaS enables enterprises to respond to audits and demonstrate compliance with proper reporting and documentation.

Learn more about how to grow your business with our cloud DRaaS by visiting: Global Storage

Sources:

  1. McKinsey Digital February 2021. “Cloud’s trillion-dollar prize is up for grabs.”
  2. Seagate 2021. “Rethink Data. Put More of your Business Data to Work from Edge to Cloud.”
  3. Gartner December 2020. “How to Cut Costs for Backup and Recovery Software, Now and in the Future.”
  4. Gartner April 2020. “Survey Analysis. IT Disaster Recovery Trends and Benchmarks.”
  5. Flexera 2021. “Flexera 2021 Stare of the Cloud.”

Global Storage achieves Australian first with VMware disaster recovery as-a-service certification

Providing Flexible and Intelligent Cloud Solutions for Data Protection and Business Continuity

FOR IMMEDIATE RELEASE –

Global Storage is pleased to announce that they are the first Australian partner to have achieved the VMWare Disaster Recovery as-a-service certification. They are one of only six partners with this certification across Asia Pacific.

Gavin Hoffmann, Director of Sales and Marketing, says ‘This recognition from VMWare really highlights our commitment to providing exceptional disaster recovery services to our clients. We’re thrilled that we can showcase our skills and be the leader in ANZ for the development of these services in partnership with VMWare.’
As digital transformation initiatives and cloud adoption continue to accelerate, the need for business continuity, data protection and management has never been greater. The need to reign in data sprawl and extract business value match the enterprise’s quest for visibility, insight and desire to lower capital expenditures and cloud operating costs.

The new certification allows Global Storage to provide services enabling clients to replicate their data and virtual infrastructure to Global Storage cloud environments. The DRaaS model eliminates costly capital expenses and frees IT from spending valuable time on lengthy planning, acquisition, deployment and management cycles or business continuity.

“We are excited with Global Storage’s introduction of our VMware DRaaS solution to the many new markets served by our partner of many years. The combination of our leading solution and Global Storage’s market deep knowledge and innovative services offer reliable customer solutions and dependable local services backed by local expertise,” said Guy Bartram., Director of Product Marketing at VMware, Inc.

https://cloud.vmware.com/providers/draas-powered

About Global Storage

We go where the data is and deliver a comprehensive suite of enterprise cloud services for computing, backup, disaster recovery, storage, and regulatory compliance. With over two decades of data management experience, the Global Storage team is uniquely qualified to help companies of all sizes realize agility, efficiency and intelligent data management across diverse cloud environments.

Formed in 1997, we have 50+ staff across our branches in Melbourne (head office), Sydney, and Brisbane, and our satellite offices in the US. In 2021, Global Storage achieved ISO 27001 Certification through BSI Global.

Get in touch for a Free, No‑Obligation Consultation

Arrange a chat with our experienced team to discuss your data protection, disaster recovery, cloud or security requirements.

  • Arrange an introductory chat about your requirements
  • Gain a proposal and quote for our services
  • View an interactive demo of our service features

Prefer to call now?
Sales and Support
1300 88 38 25

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.

© 2021 Global Storage. All rights reserved. Privacy Policy Terms of Service

The Global Storage website is accessible.

Download
Best Practices For Backing Up Microsoft 365

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.

Download
5 Myths About Backing Up Microsoft 365 Debunked

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.