Cloud Security Perspectives and Insights

To act or to be hacked, that is the $10B question

Enguerrand Blanchy
Head of APAC Cloud Technology

With data breaches making the front pages several times per month, cybersecurity is eventually getting the attention of the board. PwC Australia, in a recent survey of Australia’s CEOs, reports that "85% pointed to cyber security as a greater threat to growth than any other concerns, including uncertain economic growth, regulatory burdens and the availability of key skills in the workforce".

Do you know how many times your personal data has been breached?

The OAIC says a data breach occurs "when personal information is accessed, disclosed without authorisation or is lost".

Given the volume of data we consume and exchange every day with dozens of digital services there are many possibilities for data to be "accessed" or "disclosed" without our authorisation.

As an individual your personal email address is often your default login for many online services. In a click you can check if your own email addresses are among the more than 9 billion compromised accounts identified so far by haveibeenpwned ... and this will only show you the tip of the data breach iceberg!

It will get worse before it gets better...

After you've read retrospectives for 2019 or the past decade you're probably thinking "chances are high that some of my personal data have been in the wrong hand, somewhere, for some time". If you are lucky it is just your name and email address. If you are less lucky it could be your current credit card, medical data, fingerprints, even your whole country tax information with name, address, revenue and which vehicle you drive!

As we continue to move so much of our life and business activities into the digital space, we continuously expand our attack surface in the process, and we know that our daily web interactions and activity are shared with hundreds of organisations every single time we surf the web.

We collectively fail to grasp the complexity of threats to our digital lives and assets, such as the hybrid warfare being played in the background

What if the risk of doing nothing could cost $10 Billion?

In 2017 highly sensitive personal and financial information on around 148 million customers (44% of US population) were breached at Equifax. Equifax could end up paying as much as $9.5bn based on the recent settlement. The hackers exploited a vulnerability for which a patch had been available for at least 2 months.

In June 2017 the NotPetya ransomware resulted in more than $10 Billion of damages to global businesses according to a White House assessment quoted by Wired. The patch had been available for 3 months.

Over the past 5 years, the FBI Internet Crime Complaint Center (IC3) received 1.7m complaints resulting in more than $10 Billion total losses ($3.5B just for 2019): "The most prevalent crime types reported in 2019 were Phishing/Vishing/Smishing/Pharming, Non-Payment/Non-Delivery, Extortion, and Personal Data Breach. The top three crime types with the highest reported losses were BEC (Business Email Compromise), Confidence/Romance Fraud, and Spoofing." We discussed the still relatively high success of phishing campaigns in my previous article.

When some or all of your credentials and data are compromised, lost, or held to ransom, you put at risk your company's privacy, finance, jobs, reputation, and potentially even lives of your employees, customers and citizens. Many of the most impactful cybersecurity events over the past 3 years exploited vulnerabilities with an existing patch (how fast can you patch?), while others leveraged social engineering and phishing (which users should you trust?) and more advanced computer intrusion techniques (how secure are your IT systems?).

As an organisation, what could you do to improve your security posture?

The public cloud is a model that allows you to shift some or most of security management responsibilities to your cloud service provider, depending on the service model you choose: IaaS, PaaS or SaaS. The cloud allows you to focus on your core business rather than fighting for a limited pool of cybersecurity talent. The key is to identify tier 1 cloud service providers which actually put security at the core of everything they offer.

While you can improve many aspects of your IT security by moving to the cloud, let's talk about 3 areas that should improve after you have moved to the cloud:

  1. The cloud should offer automated patching at speed and at scale, mitigating the risk of data breaches due to unpatched vulnerabilities. “In 85% of the cases where a breached occurred, there was a patch thas was already available for that breach up to a year before it happened" (Steve Daheb, SVP Oracle Cloud, OOW London 2020) . That's unacceptable when consequences are measured in billions of dollars of loss. Did you know that when Spectre and Meltdown bugs afflicted Intel processors, online patching averted downtime for Oracle customers by applying 150 million fixes across 1.5 million computer cores in just 4 hours. That's what Oracle means by speed and scale.
  2. The cloud should accelerate your journey towards Zero Trust. With so many phishing and social engineering activities, you can't trust any user anymore, wherever they come from (inside or outside your network, on prem or off prem)... you need a Zero Trust approach to identity and access management. Read what that means for Oracle SaaS in this article.
  3. The cloud should implement Security by Design. When you start your journey with the very latest cloud infrastructure in the market, like Oracle Cloud Infrastructure with its isolated network isolation and its self securing autonomous database, you get a competitive advantage. Check out this infographics for a quick overview.

I welcome any feedback, likes and repost, and opportunities to discuss live what this topic means for your organisation.


Enguerrand (Engy) Blanchy, Head of APAC Cloud Technology

Engy and his team help Oracle’s largest and most regulated customers across APAC understand how Oracle operates and secures its market leading SaaS applications. Previously Engy was heading Accenture’s Cloud Strategy practice in ANZ. Engy spent nearly 20 years in various technology consulting roles in France and Australia, including cloud product offer development and go-to-market, cloud sales enablement and IT transformation delivery.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.