Small and medium-sized businesses are increasingly turning to offsite computer services for their IT needs.  Utilization of the so-called “cloud” for both file storage and backup, as well as for web-based software (also know as software as a service or SaaS), is growing because cloud vendors offer computing environments that are cost effective, continually updated, and require virtually no maintenance on the client’s part.

The cloud can be dangerous

While the cloud offers some substantial advantages over handling computer services in house, it also is rife with potential dangers.  First, the cloud is becoming a more popular target for cyber criminals as the valuable data it contains grows.  “The cloud is a big pond full of fish, because a lot of data is aggregated in one place,” explains Allen Cross, a Senior Risk Consultant at INSUREtrust.  “Clouds are gold mines for cyber crooks.”

There is even the risk that individual cloud vendor employees might cooperate with hackers because of the potential payoff, according to a Computerworld article on the perils of the cloud.

Second, if a hacker breaks into one company’s data stored on a particular cloud provider’s servers, then he can likely get to other companies’ data stored on those same servers.  Plus, if the bad guys use a virus to infiltrate the servers, the virus could spread across companies.  It is akin to you going to the doctor for a routine checkup, but while you are in the waiting room you catch the flu from a fellow patient.

Third, transmission of data back and forth between the cloud and the business can often be intercepted.  If data is unencrypted or otherwise unsecured, it is an easy target for cyber theft.

Carefully choose what data you send to the cloud

Do all these risks (and others we haven’t even mentioned) mean that businesses should flee the cloud?  Not necessarily.  But you should think twice before handing over your highly sensitive data to a cloud service provider.  Advice offered in a CFO Magazine article includes keeping intellectual property and research and development files in your own servers.

One of the most difficult aspects of cloud computing is that you frequently don’t know with whom you are really doing business.  The cloud is inherently remote, which gives cloud vendors a level of secrecy and isolation.  You might think your data will be stored in a proverbial four-star resort, when in fact it will reside in a seedy motel in a part of town you would never visit at night.

Ask tough questions of cloud service providers

So, before venturing into the cloud, businesses need to ask some tough questions of potential cloud vendors:

  • What kind of physical security do you have around the servers?
  • What country are your servers located in?
  • What kind of digital security do you have in place?
  • How is my data transmitted to and from your servers?
  • Do you own or rent your servers?
  • Do you subcontract your work to other cloud vendors?
  • Can you offer references?

Moving data to the cloud does not eliminate your cyber liability

If you think the cloud might be in your firm’s future, Cross recommends that you request from the potential cloud service provider a copy of its certificates of insurance and that you “ask to be included, if possible, on the cloud vendor’s insurance policy as an additional insured party.”

It’s important to remember that even if you do everything right, experts generally agree that at some point your data will still be compromised.  When that happens, and regardless of whether you have outsourced storage to a cloud vendor, your firm is the owner of the data and ultimately holds the liability.  You cannot pass off legal responsibility for data to a cloud service provider.

To learn more about vendor management, we recommend you read our article on how vendors increase your company’s cyber risk.

You need Internet insurance

It’s clear that in order to protect your firm, you need to obtain Internet insurance, also known as cyber insurance.  Many business executives are unfamiliar with the potential liabilities their firms incur by operating in the digital world, and the protection Internet insurance can offer.  And, navigating the complexities of coverage can be daunting.  Our Cyber Insurance Basics web page is a good place to start the learning process.