'Catastrophic' cloud outages are keeping IT leaders up at night – is it time for businesses to rethink dependence?

IT leaders in the UK have voiced concerns about their organization’s exposure to cloud outages as the costs of downtime continue to mount.

With major IT incidents shutting down millions of business services and applications around the world each year, it may be time organizations rethink their cloud strategy and the service providers their business depends on.

A joint survey commissioned by HPE and digital transformation firm Auxilion spoke to 100 IT decision makers in enterprises with over 250 employees across the UK.

Almost three quarters (73%) of the respondents said they were worried about cloud security threats over the next 12 months. 

In addition, 72% of these business leaders who are currently using the cloud said a potential cloud outage would be “catastrophic” for their organization.

Research indicates executives are right to be concerned about outages shuttering their business operations. For example, Oxford Economics calculated that downtime costs Global 2000 companies $400 billion each year, with each hour costing the business an average of $540,000. 

Breaking down the direct costs associated with downtime, Splunk’s Cost of Downtime report found that businesses suffered an average of $49 million in lost revenue, $22 million in regulatory fines, $16 million in SLA penalties, and $14 million in legal costs.

The costs don’t stop there, however. The indirect costs linked to rebuilding trust in your enterprise ($27 million), lost productivity ($12 million), overtime wages ($11 million), and increased cyber insurance premiums ($10 million) all add to the pain businesses endure when their systems go offline.

The vast majority of businesses need to be aware of the potential damage an outage could incur, with the great cloud transition all but complete in the UK, as 90% of respondents reported their organization used cloud technologies.

Despite their understandable concerns, business appetite for the cloud remains strong, with 88% of IT decision makers claiming they intend on migrating more infrastructure and applications over the course of the next year.

Cloud outages hit hardest when relying on a single vendor

With a series of high-profile IT outages causing chaos around the world, is it time for technology leaders to rethink their cloud strategies and evaluate who they are dependent on?

Speaking to ITPro, Jamil Ahmed, distinguished engineer at middleware specialist Solace, said outages are an inevitability when it comes to any technology and as a result businesses need to diversify their cloud portfolio between multiple service providers. 

“Even as cloud technology evolves, failures within the system will inevitably happen. ‘One-of-a-kind’, extremely rare outages or issues continue to plague every service provider from time to time, which is why the need to store valuable information on multiple provider services, known as an event mesh, have arisen.”

Ahmed added that it's inexcusable for businesses to be reliant on a single cloud provider, stating any organization that does so is being “demonstrably dangerous and negligent”.

“From a business perspective, there are no excuses [for] having a single cloud provider. It's multi-cloud all the way, treating cloud as commoditised compute, not building apps and services that are tied to knowing what cloud they're in,” he argued.

“Unfortunately, when businesses first introduced the cloud into their strategy, about 10 years ago, they made multi-provider usage a problem to solve later on. It is now 'later on,' and the strategy of using one cloud service is demonstrably dangerous and negligent. Anyone adopting cloud without thought for multi-cloud on day 1, should opt into an event mesh system or be fearful for that next "extremely rare" event.”

But managing multiple cloud environments introduces added complexity for IT workers to contend with, Guy Warren, CEO at ITRS, told ITPro. Warren said most businesses already use more than one cloud platform, but this makes it more difficult to keep on top of the integrity of each environment.

“The vast majority (93%) of businesses use more than one cloud platform, meaning many may suffer from multi-cloud complexity. This makes it harder to have complete visibility across all platforms, increasing the risk of misconfigurations and vulnerability exposure,” he explained.

“The implementation of monitoring tools is essential for firms managing hybrid cloud environments. This gives firms full visibility over their entire IT infrastructure, enabling them to manage multiple clouds through a single pane of glass. Not only does this help firms detect incidents faster, but also improves operational efficiency, cost savings and time.”

Firms need clarity from cloud providers about what aspects of security they are responsible for

Warren noted that IT leaders need to reevaluate where they see the biggest threat to their organization, suggesting that external threats draw internal resources away from addressing potential risks inside the company.

“When it comes to cloud technology, it’s a common misconception that external threats pose the greatest risk, often causing internal sources of vulnerability to be overlooked” he said.

“In fact, the most common vulnerabilities come from when firms make changes to their IT systems. For businesses looking to scale up, we recommend that they implement products and systems that can also scale in line with company growth.”

But maintaining strong cyber defenses are still critical, Warren added, stating that firms need to be clear with their cloud vendor about who is responsible for what parts of their environments' cyber posture.

“That said, businesses do also need to make sure they have stringent plans in place should a malicious attack occur. Despite the importance [of] planning for all eventualities, 84% of UK IT leaders admit that they are unsure as to whether cloud security is their responsibility or that of the cloud service provider,” he said.

“Firms should make sure that they have a clearly defined responsibility model so they can adopt a coordinated response against vulnerabilities. This means should an incident occur, they can take the necessary steps to mitigate its impact more effectively.”