Keeping data safe in the cloud
Cloud computing involves storing data offsite, in servers usually owned and operated by a specialist cloud provider, and this is where the risk can lie, because companies are handing their and their clients’ data over to a third-party to manage.
A survey by the Ponemon Institute for IBM shows the average cost of a data breach for an Australian company was $2.6 million, including IT costs to rectify the problem, loss of business and time taken to deal with the breach.
There is also the bad publicity and angry customers which result when consumers’ personal information has been breached.
The good news is there are steps any business can take, firstly to ensure their cloud provider is doing everything it can to protect their data and secondly to ensure that they as a business are also taking all the necessary precautions.
How to choose a cloud provider
It can take time and diligence to choose a cloud provider, but you should consider it a form of insurance, as you are much less likely to suffer data breaches if you make the right choice.
Along with the particular cloud service that will meet your own needs and its price and terms, security should be a top consideration.
You should ask your cloud provider about their security measures and how often they are updated. Measures to look for include firewalls, virus detection, multi-factor authentication (which makes sure only registered users can access the data by requiring them to provide two or more pieces of evidence of their identity), data encryption and routine security audits.
Also ask who in the company will have access to your data and whether the cloud company does employee background checks to weed out potential cybercriminals or identity thieves.
You need to find out where your cloud provider’s data centre is located, both in which country and also in what sort of facility. A cloud storage facility can be a simple as a few servers in somebody’s spare room, so you want to be confident that your data is being stored in a robust facility that is protected from fires and floods and so on, and is also protected from thieves.
Make sure you know what they do if they worst happens and they lose your data. Do they have data redundancies in place – where the same piece of data is stored in two separate places – to mitigate the problem?
You should examine your potential provider’s Service Level Agreement to see how it would address any data losses, such as whether it would provide any compensation.
What businesses can do
The security of your data on the cloud also depends on what you and your staff do.
Many of these tips don’t just apply to the cloud and are things you should be doing anyway as part of your general cybersecurity precautions.
Take care to manage your passwords. Choose a strong and unique password; change it frequently, and do not use it across all of your cloud accounts to ensure that the one password won’t give someone access to everything.
If your cloud service offers two-step verification for logging in, then take advantage of this. For instance, this might involve putting in a password then receiving a code on your mobile phone which you have to enter before you can gain access.
Also, be careful of your online behaviour – don’t stay logged into an account if you are not present and be very careful about unsecured WiFi hotspots in public places. These connections are often unencrypted and can be hacked.
Finally, you should keep your anti-virus and spyware software up to date.
Solicitor Jamie White of Pod Legal says there are several legal considerations for companies which store data in the cloud relating to confidentiality, privacy and security of information. The most relevant of these is contained in the Australian Privacy Principles (APPs).
“APP 8 provides that an APP entity that discloses personal information about an individual to an overseas recipient, must take such steps as are reasonable in the circumstances, to ensure that the overseas recipient does not breach the APPs in relation to the information,” he says.
“The APPs apply to all professions and industries. Further, some professions or industries may have additional obligations imposed upon them under specific regulations. Members of each profession should contact their regulatory body to determine whether or nor any additional obligations are imposed upon them.”
The legal requirements apply only to businesses with an annual turnover of $3 million, but a wide range of businesses are subject to the Privacy Act regardless of turnover, including healthcare providers, gyms and schools, to name a few. It is a good idea to check and see whether the Act applies to your business.
Those which are subject to the Privacy Act should do three things:
- Take reasonable steps to ensure that any overseas entity that it discloses personal information to does not breach the APPs in relation to the information provided,
- Prepare and implement a data breach policy and response plan, including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC).
Should a data breach occur the OAIC can investigate it and implement a range of penalties, including enforceable undertakings, court injunctions to prevent further conduct which would contravene the Privacy Act, and fines up to $360,000 for individuals and up to $1.8 million for companies.