In 2013, small businesses are expected to double or even triple their use of cloud applications.
There are many advantages to embracing this relatively new technology. The cloud helps small businesses expand their reach and allows smaller businesses to reduce the IT pressure on their employees without sacrificing close connections to customers and businesses partners.
However, even though IT functions may be taking place in the cloud, security can’t be outsourced. It’s always the responsibility of the business. If the business needs to comply with regulations like HIPAA or PCI and data is breached in the cloud, the company will be held responsible, not the cloud vendor.
There are a lot of things to consider when partnering with any kind of vendor. Price, business expertise, and availability are common concerns, but too often these business concerns trump security during the evaluation process. This is why every business needs to pay attention to security when selecting cloud vendors. Here are five tips business that can help make sure the cloud vendor selected matches business requirements.
Elizabeth Ireland, vice president of marketing for nCircle offers these tips on what security considerations should go into the decision processs:.
Ask detailed questions about the security technologies utilized by the cloud vendor: A small business’s security is weakened if their cloud vendor does not use up-to-date technology. When evaluating a potential vendor, be sure to ask comprehensive security questions such as:
- Does the cloud vendor scan email gateways and servers for email-born malware?
- Does the cloud vendor use antivirus and anti-spyware protection on Windows desktop and servers?
- Has the cloud vendor implemented full disk encryption for information technology assets used to send or store sensitive company information?
Small businesses should make sure they are just as confident about their cloud vendor’s security technology as they are about their own.
Understand exactly what kind of security is provided by the cloud vendor: According to a recent study, only 13% of businesses executives considered information security and privacy when evaluating potential business partners. Depending on the information the cloud vendor is handling, the impact of a breach can be disastrous for smaller businesses. A recent National Cyber Security Alliance (NCSA) and Symantec study revealed 60% of SMBs close within 6 months after a successful cyber-attack. Understanding the security provided by the cloud vendor is a crucial step in deciding how to safely outsource any business function to the cloud.
Understand how sensitive data will be handled in the cloud: Small businesses professionals should always ask potential vendors how sensitive data is transmitted and stored. Only 47% of SMB IT professionals ask vendors and partners about their security processes before sharing confidential business information, a mistake that leaves them vulnerable to data theft.
Limit security exposure for customer data the cloud vendor will have access to: Customer data is the lifeblood of every business and should always be handled with extra care, but 61% of SMB respondents said they share customer data with vendors and partners electronically. If this data is compromised, even if the compromise occurs at a vendor or partner’s business, the impact to small businesses can be devastating. To limit exposure, cloud vendors should be required to encrypt sensitive data, such as customer information. If the vendor doesn’t provide this service, small businesses must be prepared to encrypt before the cloud vendor gains access to it.
Understand the security procedures of the cloud vendor: Last August, Wired’s Mat Honan was hacked because Apple and Amazon had different views on what constituted as “confidential information.” While this particular misunderstanding isn’t something small businesses grapple with it illustrates the potential for confusion if the definition of confidential information isn’t clear. Ask prospective vendors detailed questions such as:
- Does the cloud vendor have a dedicated security function with clearly defined, regularly reviewed roles and responsibilities?
- Does the cloud vendor have a patch management process for all platforms and operating systems?
- Are employees and contractors for the cloud vendor required to attend annual information security awareness training?
Every cloud vendor relationship should be characterized by clear communication and significant security due diligence. Smaller businesses that take the time to carefully evaluate cloud vendor security cloud security risks will make better choices and dramatically decrease their security risks.
Ireland adds; “Small businesses are embracing cloud technologies and applications to take advantage of the economies and business benefits. At the same time, they need to embrace what larger organizations know already—cloud security can’t be overlooked because the results can be devastating. The good news is that a little extra research can make a huge difference in risk, and you don’t have to be a security expert to make the right choice.”