There are many advantages for businesses of all sizes to migrate applications to the cloud:
- Accessibility – anyone with a web browser and authorization can access information from anywhere, anytime, with any device.
- Flexibility – cloud providers furnish the computing power, and in some cases the applications businesses need for conducting business.
- Growth potential – as more computer power or storage space is needed, it’s extremely easy to add resources.
- Cost control – in a cloud environment, cost is typically an operating expense, as opposed to requesting capital repeatedly to upgrade infrastructure and add capacity.
- Cost avoidance – internal IT staff requirements are lowered through leveraging the technical resources of the cloud provider.
With all these advantages, what might be the concern with moving to the cloud?
In a nutshell – security. With the many significant instances of data theft, internal leaks of information, and the myriad legislation that has been enacted in recent months, it becomes a major concern for businesses to ensure their data is protected from hackers and would-be cybercriminals.
Is the Cloud Hack Proof?
Every reputable cloud service provider has at least a reasonable level of security inherent in their infrastructure and operating environment. Even so, most will certainly not make any statement that they are virtually impenetrable from attacks by determined hackers or cyber thieves.
Cybersecurity has become a major concern for even the most secure data center or cloud provider. Proper education in use of passwords, top-level commitment to security procedures, and building security into application design are now forefront in the mindset of board-level executives and IT management.
Yet we hear all too often of new attacks and data breaches where confidential consumer information or company assets are compromised where businesses – even government agencies – were confident they had more than adequate hack protection in place.
Do You Really Need to be Concerned?
Every business strives to maintain safe data:
- Customer and employee confidential information
- Financial information
- Mission-critical database applications
- Medical records
Much of this information is critical to business continuity and sustainability. Reports indicate that the average data breach generates an expense to the impacted business of $7 million. Beyond the cost of the breach, there are many other potential losses:
- Lost customers – if customers don’t trust you to keep their data safe, they will go elsewhere.
- Business disruption – lost productivity
- Fines – where regulatory issues are involved, fines could be levied against your business
- Financial losses – if hackers obtain your bank accounts or other financial records, they could wire money to their own accounts that are not retrievable
- Legal costs – some companies with large data breaches were hammered with class action lawsuits
- Public opinion – lack of confidence could even result in stock devaluation and distrust by investors
These are only some of the negative impacts when a business falls victim to hackers or even unauthorized internal access to confidential information.
So How Do You Ensure Safe Data?
Moving to the cloud is an attractive business proposition, and companies of all sizes are migrating a great deal of their computing power out of the corporate data center and into the hands of trusted service providers.
There are several steps any business should take in evaluating potential cloud providers:
Due Diligence
- Evaluate the types of data to be housed in the cloud, including business owner identification of what constitutes critical or confidential information.
- Determine with prospective vendors what level of security is in place to keep your data safe: encryption, physical security, staff screening and bonding.
- What protection is in place for detecting cyber threats or potential intrusions? Do they have documented procedures on how such attacks are to be remediated?
- Is there a well-documented disaster recovery/backup plan? If so, is it tested regularly?
- Where will your data be housed? If off-shore, are there legal implications or regulations that impact your business?
Review Contracts Carefully
- Is the provider’s liability limited, or are they accountable for any costs from data loss or damage?
- Are there any subcontractors involved that will have access to your information? Do all terms of the contract and accountability apply equally to such personnel?
- Ensure that all security requirements are included and spelled out in detail in the contract.
- Include your right to audit security practices periodically, to ensure your expectations are being adhered to.
- Be certain that any existing regulatory requirements are addressed in the contract, including compliance issues such as HIPAA and PCI.
Insurance is a Key Factor
- Is the provider insured against data breach losses?
- Does the vendor’s insurance cover any costs your business incurs?
- Even if the vendor has such insurance (and they should), be certain that the coverage includes expenses for your own losses, not the provider’s costs. If that’s not the case, it will be a must to acquire insurance to pay for insured privacy on your own behalf.
- Make sure you have enough insurance to cover your risk tolerance from hackers or cyber thieves. You will probably want to consult with experts in risk management to determine the appropriate amount of insurance to carry.
Security breach insurance is unique from the standpoint that such breaches could be ongoing for a period of time before they are detected. Include retroactive coverage that covers expenses from the onset of the breach.
Consulting with insurance representatives well-versed in data breach security will be essential in providing the coverage you need to mitigate losses as a result of cyber attacks.