The use of cloud is maturing, and Australian businesses are adopting a diverse range of cloud-based technologies. But too many companies are deploying new technology without setting guardrails, and global regulators are desperately trying to plug gaps in cybersecurity.
The top priority for Australian businesses this year is growth, with companies hoping to create a competitive advantage using cloud, AI and SaaS, according to Datacom’s 5th Annual Cloud Report.
The report found that with technologies evolving so quickly, combined with the long-term shortage of technical expertise, too many companies are struggling to complete the planning and governance steps required to maximise the success of large IT projects.
Security, AI and application modernisation are dominating IT budgets as companies strive to be more efficient, boost productivity and attract new customers. AI can be a gamechanger and generate great value but Mike Walls, director – Cloud, Datacom, warns that if AI is incorrectly implemented, it could be a disaster.
“There are many benefits but also risks with AI if not adopted well and companies need to be hands on with their data — they need to know exactly where the data resides, who has access to it, for how long, and how that data is being used,” Mr Walls said.
Due to AI security concerns, more than half of respondents are choosing a private cloud as a manageable and contained environment for AI at this time. The report found that 40 per cent of companies are going to spend more on cloud in the next 12 months than they did in the previous year.
More applications are being modernised, with fewer than 15 per cent of companies simply duplicating workloads from on-premises to cloud. More effort is being put into improving business agility, leveraging cloud native, and enabling easy scaling, with 45 per cent choosing to re-platform or refactor applications. Companies are also getting better at using the most appropriate technology for their workloads — whether that be on-premises, private or public cloud — and settling on a hybrid cloud strategy.
SaaS and cloud require careful governance
The survey found that only about half of respondents had a cloud policy, and even fewer, 33 per cent, had a hybrid-cloud policy. Before deploying a SaaS platform, Mr Walls says its vital companies have a complete understanding of the potential risks and can create a suitable cloud policy that includes implementing best-practice security standards.
One of the biggest advantages of SaaS is also a potential vulnerability — the ease with which applications can be purchased and deployed. “It’s a challenge because some business users will procure a SaaS platform to solve a specific need and don’t have IT be involved,” Mr Walls said. “Any policy or procedures are circumnavigated because they want the system working now, and that’s understandable, but it can cause issues.”
SaaS misconfigurations are common, and they not only threaten the company’s security and reputation, but also that of its partners. For example, someone in a marketing department might use a modern CRM app to create a customer-facing web page for a partner-promotion or competition. Unless a policy dictates the correct security options to ensure content uploaded externally resides in a storage area that is secure and scanned for threats, that seemingly innocent project opens a potentially serious vulnerability.
“SaaS is really convenient, but it can open up vulnerabilities” Walls said. “Companies need to ensure they have laid out a SaaS management strategy and have the basic access controls and security policies, including data governance, account management, single sign on, MFA, and password best practices as well as having a business continuity plan, which is often forgotten.”
Lack of policy and governance can also lead to surprise cloud expenditure. Workloads have different priorities and risk profiles, and using an inappropriate cloud service for a workload can result in unexpected bills and/or unexpected performance. This is where FinOps practices and automation workflows need to play a big part in cloud governance.
Tougher security regulations expected
Despite cybersecurity being such a high priority, fewer than 20 per cent of respondents identified as having “sufficient budget investment” while nearly 50 per cent of respondents do not have a cloud security strategy. The latest figures from the Office of the Australian Information Commissioner (OAIC) show data breach notifications at their highest levels since the pandemic.
In early October, the federal government created its first standalone Cybersecurity Act to provide a clear legislative framework that improves security for critical infrastructure and various other businesses as part of its long-term cybersecurity strategy.
Regulators globally are also trying to keep up with technology. Just this month, the EU started fully enforcing its NIS2 Directive for cybersecurity resilience, which sets minimum standards for industry verticals, including manufacturing, social networks, banking and other critical services.
In the US, New York State this year further updated its already strict NYDFS regulations for the financial sector. As well as a minimum encryption and passwords policy, it requires companies to regularly conduct employee cyber security training to ensure all staff are aware of common threats. Non-compliance could result in multi-million-dollar fines, and the CEO could be held directly responsible.
“The industry is more mature in the US and it takes time for laws to follow, but even so it’s a worry that many Australian companies don’t have the necessary budget or strategies in place,” Mr Walls said. “New laws can build awareness of emerging threats, provide guidance and improve protection but it’s challenging to try and balance the risk between securing and stifling innovation which is where these strategies need to play a part.”
Before making any technology investment, it is vital companies have technical partners that can help their organisation easily adapt to the evolving ICT landscape, and remain compliant with its fast-paced governance requirements.
This article was produced by InnovationAus.com in partnership with Datacom.
Do you know more? Contact James Riley via Email.