[Column] Takalane Khashane: What companies need to know about prioritising information security in the cloud age
Every business today needs to manage, retain and secure an exponentially growing volume of data. And in an age where the cloud and connected devices allow people to connect with each other and business resources – data, documents, databases, networks and systems – that they need from anywhere and at any time, cloud services bring significant business value.
The cloud allows businesses to rapidly store, analyse and act on large amounts of data and insights – which in turn accelerates innovation, agility and competitiveness. These benefits are driving the continued growth in the adoption of cloud computing.
Africa’s cloud computing and data centre industries are growing: hyperscalers are already operating major data centres on the continent, and a study by Xalam Analytics showed that the colocation market is forecast to grow by a further 25% by the end of this year. This is backed up by the Cloud in Africa 2023 study by World Wide Worx, which found that 69% of African enterprises plan to increase investment in cloud and colocation services in 2023.
However, with great convenience, flexibility, resilience, scalability, continuity and business efficiency comes other implications – the most pressing of which is information security. While the World Wide Worx research found that over half – 56% – of IT decision makers cited improved security as the single biggest benefit of making the move to the cloud, the reality remains that the value of the data being generated and stored by organisations makes it a prime target.
A key concern for business leaders
Information security is now one of the biggest challenges and key concerns business leaders have. Research found that over 50% of IT decision makers across South Africa, Kenya and Zimbabwe regard data loss, recovery and lack of security controls as their most significant concerns.
Businesses from across different sectors – including financial services, healthcare and the public sector – all face emerging data risks because of the highly sensitive and valuable nature of the data they handle, process and store. A recent IBM report, for instance, found that 83% of organisations studied have had more than one data breach – and that the average cost of a breach continues to rise exponentially, reaching a record high in 2022. Healthcare is the hardest hit, with the average cost of a breach standing at over $10 million per incident.
The biggest threat has also been found to come from within the organisation. Iron Mountain research found that the biggest threat typically comes from within the organisation, from employees who are not malicious but simply looking for easier and more efficient ways to work. It uncovered that 40% of people questioned have fallen victim to a scam or phishing – but that 47% use the same password across multiple platforms (with 23% keeping their password on a note on their desk), 37% use public Wi-Fi to do work, and only 34% see the value in shredding documents.
More clearly needs to be done to better protect and manage data. Organisations can implement robust data management and data protection strategies to suit their specific business and industry needs, as well as improve business resilience and data compliance. They can also manage risk across hybrid teams in a cloud environment and build a resilient business strategy. Some tips are:
- Raise awareness about the issue without playing the blame game: highlight where the biggest risks lie, and flag the importance of behaviour change in addressing the information security challenge. Companies have a critical role to play in providing the tools, training and support to help people recognise and avoid risks, while also updating policies to ensure maximum understanding of, and accountability for, risk management.
- Create a risk-aware culture to build resilience by design: an organisation’s ability to fend off breaches needs to be built-in to every business process and policy. And that starts with shifting the whole organisational mindset around risk management – every employee needs to know that it is a fundamental responsibility. To help them, it is critical to reshape information management policies so that they are well-articulated and apply to office, hybrid and remote workers, as well as vendors and contractors. It is also vital to create a digital and physical archive for data, have a robust programme to dispose of physical documents and IT equipment when it is no longer in use, and ensure full chain of custody throughout all collection, transportation, digitisation and disposition processes. Make sure workflows are built to manage risk, streamline processes to support employees and champion a supportive culture by making training more relevant and engaging.
- Put in place a 3-2-1-1-0 data protection strategy for the worst-case scenario: That means three copies of data on two different media with one copy stored offsite, one stored offline and a no-errors back-up. A 3-2-1-1-0 back-up strategy reduces the impact of a single point of failure, such as a device being stolen or lost, or drive failure.
Information security in a rapidly evolving cloud computing environment is complex – but with the right strategies, processes, policies and partners, business leaders can get the peace of mind that they need.
Takalane Khashane is the Managing Director, of Iron Mountain South Africa.