Availability – The Forgotten Stepchild of Cybersecurity

On an early Monday in the Lock-down process for the UK, many companies settled their staff into the comfort of their homes and logged into Corporate services to test their networks. Some of those using collaboration tools from Office365 were greeted with the message “We’re investigating problems in Microsoft Teams…”. A truly unfortunate start to the experience.

Cybersecurity is often referred to as a triad of Confidentiality, Integrity, and Availability. Many Cloud services providers will focus on the security measures (read Confidentiality) and the integrity of their data transmitting over secure tunnels between Companies, Servers, Users and Clients. However, what happens to availability? For many in the financial services, a service credit won’t recoup the costs of when an outage hits during an important part of the day. So what is a company to do? Or as Alexander Fitzgerald wrote in a recent “Bob’s Guide” article “what happens when it all goes down?”.

Availability should be a core competency for any business that has learned the benefits of using public cloud services. Comprehension of what exactly that outage could look like with Risk Assessments can prove vital in highlighting the risks that lay in putting unconditional trust into a Cloud provider. What’s more, the deployment choices of a public cloud are critical to ensuring it meets your acceptable risk levels. The depth and complexity of Office365 is ever increasing at a rapid development pace. Performing an independent evaluation of your Cloud Configuration is again, so important to the health and availability of those services, especially as estimations are now up to 95% of Cloud Failures are likely to be the customers fault.

Beyond all measures the inevitable will still happen, an outage will hit at the worst moment and your preparedness will show through. Carefully crafted Business Continuity Planning and Incidence Response Plans should allow each department to follow their workflows in a predetermined amount of time. Alternative technologies should be available; avoiding “Shadow IT” within pockets of Staff solving their own problems with software and services outside the scope supplied by the Business and their Data Controls.

In today’s world, availability cannot just be considered ‘backups’ of data. We need to have considerations of business communications, applications, public web-portals, etc. Now we must look at the availability of home services too. Risk likelihood has changed and plans need to be updated to accommodate those.