When it comes to security, businesses are still confused about who is responsible for what, clouding confidence in cloud services.
If you are a small business owner, chances are that you’re using a cloud-based service for at least one or more of your business activities. Doing so has some great time and cost-saving benefits for entrepreneurs, however there are also some security considerations to think about.
One of the most important is identifying who is responsible for securing the information stored in the cloud. However, studies show that small business owners are confused. As a matter of fact, over one third of customers assume their software-as-a-service (SaaS) provider bears responsibility for securing their data and applications, says a March 2012 Ponemon Institute study.
Your Business, Your Security Considerations
You must understand the security rules and regulations governing your profession or industry, as well as the Canadian privacy laws. Keep this in mind when setting up new contracts with service providers. Read the fine print carefully and look for the following:
- Exactly what security services exactly are included; make sure this is detailed prior to signing the contract.
- Whatever isn’t included, you will have to arrange for a paid security program.
- Review the fine print for details on third-party disclosures. Does your service provider have to give up information stored in the cloud if approached by a third party?
- Is the data stored in Canada, or somewhere else? If elsewhere, what laws apply? Service providers must follow the laws of the nation where they do business and where their data resides. At the same time, if your business is using a cloud-based provider, therefore outsourcing, you are responsible for ensuring it complies with Canadian privacy law.
Cloud Security Responsibility Laws and Regulations
Are you breaking a privacy law by storing your customer’s information in the cloud? When it comes to following the law, both small businesses and the cloud-based service providers are governed by federal law.
According to the Office of the Privacy Commission of Canada Private Sector Fact Sheet: Privacy and Outsourcing, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal private-sector privacy law that requires businesses and organizations to consider privacy issues when outsourcing activities. A small business using a cloud-based service provider for anything falls under PIPEDA, as does the business providing the service.
Four Questions to Ask Your Managed Service Provider (MSP)
Cloud-based services can save time and money for busy small business owners, but it’s important to talk to your MSP about security issues long before any actually occur.
- Does your MSP provide security log files? The information in these files can explain what happens to your data while it is in the cloud.
- Do they offer encryption before your info gets stored in the cloud? Encrypting your data before it enters the cloud may give you an added layer of security, especially when dealing with sensitive client or patient records.
- How quickly will you discover a security breach if information is in the cloud? This is an important issue because early detection of a cloud security breach can minimize the damage. However, if your MSP thinks you are monitoring your cloud-stored data, and you assume that they are, it can delay the discovery, resulting in even more problems. So make it clear up front and in writing – which business will be responsible for notification of security breaches.
- How long will you keep my business data? Your cloud-based service provider may keep your business data, and that of your own clients, for a longer or shorter period than you’d like. In some cases, your industry may be governed by requirements to keep information available for a number of years, so check your industry guidelines before talking to your MSP.
Finally, if you are planning to have your client data stored in the cloud, make sure you have their consent to do so. Failure to get your clients’ permission to do so could lead to long and costly legal issues that could damage your business permanently.