Business Continuity Planning is more important than ever.



Description of the risk


One of the great things about Cloud-based systems (well, the good ones at least) is that they are available and accessible to all your people, from anywhere and all of the time.

One of the terrible things about Cloud-based systems is that they are available and potentially accessible to all people (all people, not just your people), from anywhere and all of the time.


While there are any number of security enhancements that can be employed to assist in the security of Cloud-based systems, the fact is that Cloud-based systems are highly susceptible to security breaches because, by their very nature, they are always available for people (any people from anywhere in the world) to try to log on to.

We say “highly” susceptible based on recent history of hacks that have happened in Australia and around the world. This year Legrand CRM, Panasonic Australia, Ticketek, Western Sydney University, Monash Health, Clubs NSW, Qantas, Nissan ANZ, Tangerine Telecom, Central Coast Council, Football Australia and Yakult have all been hacked in one way or another … and that’s just in Australia, just in the first six months of 2024 and just listing names of organisations that most people would have heard of (this is far from a comprehensive list). Looking globally, add big names such as Ticketmaster, Cloudfare, JPMorgan Chase, Dell Computers, Microsoft, Dropbox and Bank of America to the list.


A large number, perhaps the majority, of hacks in recent years have eventuated from human error. This is why there is a seemingly never-ending flow of phishing emails, SMS and phone calls aiming to trick people to give away personal information. Unfortunately, human error invariably bypasses security systems. To use an analogy: If you leave a house key under your front door mat and your child let his friends know that it’s there, you’ve completely lost control of your home’s security. And make no mistake, when the bad actors work out how best to employ AI these phishing attempts will become a great deal more difficult to distinguish from legitimate communications.

One of the significant issues with Cloud-based systems is that the people providing that system are just as susceptible to human error as are the rest of us. But, as is the case with most of the aforementioned examples, when the account(s) of the people providing the Cloud-based system are compromised potentially all of their customers’ systems and data are at risk. It is therefore the case that any business utilising Cloud-based systems are potentially exposed to risks introduced by their own staff (over which they have some control and influence around processes and education) and also to risks introduced by other business’ staff (over which they have no control or influence).



What does it mean to me ?


If your business is committed to using Cloud-based systems (in many areas it’s becoming increasingly difficult to avoid using them), you would be well served to ensure that you have some degree of control over your data and your business’ successful future. You need to have a Business Continuity Plan  that makes allowance for the eventuality where your Cloud-based system provider goes offline. You need to ensure you’ve got appropriately frequent data recovery points that do not rely on the Cloud. You need to expect that someone (your staff or another business’ staff) fall prey to a phishing attack and, consequently, that your data that resides in the Cloud is either inaccessible, held for ransom or completely deleted.


As the risks increase, so necessarily do the appropriate protective measures.

Under the Shared Responsibility Model that has been developed and implemented by large Cloud providers such as Microsoft and Google, YOU (not the Cloud provider) are typically responsible for backing up your data. This Model effectively absolves the Cloud provider from any responsibility should YOUR data be lost.

A data backup system forms one small part of the Business Continuity Plan. It is not the beginning nor the end of that Plan, rather it is one of many parts and no one backup system is right for every individual business.

A detailed Plan will help to make obvious which data backup system is most appropriate for your business.