ARN

How can the channel wake up from cyber fatigue in 2020?

Cyber criminals are ramping up their attacks on the world’s cloud environments and partners are the ones shouldering the burden. But with so much noise about attacks in the IT industry, do customers and partners risk becoming laboured by ‘cyber fatigue’ instead of seeing cloud security as a competitive advantage?
Trevor Clarke (Tech Research Asia)

Trevor Clarke (Tech Research Asia)

In July this year, details belonging to 100 million customers of US banking giant Capital One fell into the hands of cyber attackers, and before long, fingers started pointing towards the channel.

Having suffered one of the largest data thefts to hit a financial services company, the blame game fell not on Amazon Web Services (AWS), which hosted the cloud infrastructure on which the bank's data was held, but the “external provider” that apparently let it happen.

Once again, concerns over cyber security in the cloud returned to the surface, raising the question of who ultimately bears the burden of responsibility in the event of an attack.

According to Tech Research Asia analyst Trevor Clarke, this responsibility is not necessarily the cloud provider's alone.

“Being able to protect the cloud is still a major challenge,” he said during a recent ARN Exchange. “There’s a perception that it’s the cloud provider’s responsibility. But it’s not and you should always read the small print in the terms and contracts.”

There is no doubt that safeguarding cloud environments is of critical importance for businesses, public institutions and channel partners alike.

As an example, the Capital One breach sent its shares down 5.9 per cent, and that’s just scraping the surface of the issue. High profile attacks have hit the Federal Parliament and the Commonwealth Games in the last two years, and figures from the Office of the Australian Information Commissioner (OAIC) suggest the number of breaches isn’t falling. 

In the last report, covering 1 April and 30 June this year, the OAIC recorded 245 Notifiable Data Breaches (NDB), the exact same number as the 12 months before, year-to-year.

And customers are not the only ones at risk: “Every day there are really critical breaches coming through,” Clarke added. “And [partners] are the targets today: we have seen this supply chain attack on IT services and IT delivery.

“Executives can lose their jobs for these: they bear the liability for attacks, for the managed services, outsourcing and the projects [they’re] running.”

Yet although this heightened risk should compel partners and customers to ramp up their cyber defences, an unforeseen consequence of this is that organisation leaders are suffering what Clarke calls “cyber fatigue”. And as a result, they have become worryingly complacent towards cyber security -- cloud or otherwise.

“There is just so much noise out there,” he said. “There is all this stuff out there saying you’re going to be attacked by ransomware and too many things coming at you, so you’re just fatigued. Your eyes glaze over.

“We know that executives don’t always get it or understand their risk profile. Or they get it, but they don’t know what to invest.”

From left: Eleanor Dickinson (ARN), Jules Rumsey (CloudPlus), Shane Hoffman (Bitdefender), Trevor Clarke (Tech Research Asia)Credit: Raymond Korn
From left: Eleanor Dickinson (ARN), Jules Rumsey (CloudPlus), Shane Hoffman (Bitdefender), Trevor Clarke (Tech Research Asia)

This complacency is backed up in the OAIC statistics, which highlights how 60 per cent of breaches this last quarter were caused by human error. 

But yet this is of course where the channel plays best: educating and explaining to customers exactly where their IT  investment is required. But within the realm of cloud security, this is challenging given Australia’s rapid progression into complex, multi- or hybrid cloud environments.

“In Australia, we have moved on from cloud-first, Clarke said. “We’re adopting hybrid infrastructures and multi-cloud is everything. When you ask a customer what does hybrid IT mean when in fact there is no template for that. We have heterogeneous environments; we’re not just using the services of one person but of many and that makes things much more difficult. We still don’t know what’s in our environments for a lot of companies.”

Read more on the next page...

Page Break


In addition, partners may think they are providing top-notch managed cloud security for their customers when the chances are they are in fact behind that of their nemesis: the hackers themselves. 

“Is your service level as good as that of a ransomware attacker?,” asked Clarke. “Probably not: they level or service they do is super high and that is a real indictment of our industry.”

These issues may paint a grim picture for the Australian channel’s role in cloud security, but as Clarke suggests, every challenge brings with it an opportunity, and in this space there is no shortage of them. For one thing, a lot of security still sits in-house for customers, so there are opportunities for the channel to take this on. 

Changes to consumer data laws and privacy, including the European Union’s General Data Protection Regulation, have changed  the way API services are consumed and the availability of data sets to third parties. “This is a big change in the way we manage our data at home, and it will hit all industries,” explained Clarke. “But there are great opportunities to build services off those as well.”

However, the channel needs to refocus its offerings from just simple defence to something more strategic and holistic around a customer’s overall business. 

“Some of the solutions are like a dog chasing a tail: new threat, new tool,” he said. “We just invest in new stuff and it’s not very proactive: it’s very reactionary and tactical. That to me speaks opportunity to fix that and simplify it, and move much faster.” 

Moreover, the real money for partners lies not just in providing a cloud security solution, but bringing it into a wider framework of growing their customer’s overall business. 

“One of the things we haven’t seen though is how are you going to help me grow my business and that shift in messaging about what my business needs to do," he explained. “This is old school stuff we used to talk about when we used to sell server boxes. We used to talk about the box and what you do with it but we don’t necessarily talk about that with cyber security today.

“The money doesn’t necessarily live in one place. You shouldn’t just be looking at pure security but at opportunities around product and service development.”

Once piece of advice he offers is working with customers -- and indeed other partners -- in workshops to co-create these new products and services. While this to an extent changes that-once sacred role as the ‘trusted advisor’, it does in the long run offer more opportunities for differentiation.

“MSSPs have very similar offerings but now we are seeing this as a standalone business of what everyone is doing today, so it’s now about making that into something that’s more of a digital workplace,” he explained. 

“So do you go to customers with just your typical sales approach or do you go with your design-thinking workshop? Can you adjust from being that single provider to doing ‘sprints’ and will you work well with other providers in the room?”

These will be big questions for the channel and the MSSP community to grapple with this coming year. But one thing for certain, believes Clarke, is that the threats to and opportunities around cloud environments are not going away. 

“The money is there: there is definitely more money going to cloud and cloud security. But is it going to the right places? That’s what partners need to ensure takes place in the future,” he added.