You can’t pick up a newspaper these days or (as you are doing now) catch up on the latest stories online, without spotting a story about data breaches, customer data thefts and sophisticated hacking. While the media paints a sensationalist picture about the misuse of data, we are all having to deal with a significant increase in the quantity and value of data, which is increasing at the astonishing rate of ten times every five years.
There is a huge competitive advantage in harnessing this data explosion to streamline your business and understand your customer base. However, with such opportunities come a plethora of legal and commercial risks associated with storing and exploiting such vast quantities of data.
The fact is the more data you have, the more likely you are to use cloud providers to store, analyse and back up your data for you. This means you need to be aware not only of the regulatory environment (notably data protection) that governs your use of this data, but also be able to spot whether the contracts that you sign with your cloud providers are appropriate to manage your risk and reflect your specific service requirements.
Cyber-attacks are increasing at an unprecedented rate. According to a government report on cyber security in 2015, 81% of large business and 60% of small businesses suffered cyber security hacks last year and while it’s the state-sponsored and large scale criminal attacks that are hitting the press, the most common causes of data theft and hacking are disgruntled employees. Cyber-attacks cost money, damage infrastructure and attract the wrong sort of media attention for businesses. From a best practice perspective then, what can you do to manage this risk?
- As a starting point conduct a risk assessment identifying sensitive data and critical infrastructure.
- Human error is the most common cause of a security breach so implement security policies and procedures and provide training on them to your employees.
- Consider taking out cyber-security specific insurance.
- Check that you pass on the obligations to meet these cyber security measures in your third party contracts.
Putting your data in the ‘Cloud’
Putting data in the ‘cloud’ and accessing services from cloud providers is now common practice for businesses. The cloud may sound exotic but in practical terms this means that your data is stored and accessed remotely in a data centre belonging to a third party, rather than on your own systems. These servers might be in the UK but they could also be in another territory. Have you checked with your cloud provider where they store your data and who else has access to it?
The advantages of using the cloud are well publicised - cost savings, you do not need the technical expertise in-house and you can improve the efficiency of your business particularly by outsourcing storage, payment systems and email filing. However, how can you guarantee that your employee, financial and customer data will be secure when you hand over control of it to a third party?
Given the rise in cyber-crime, data security breaches and a more sophisticated cloud computing market, gone are the days of viewing a cloud contract as a “take it as it is” service without negotiating any of the terms.
For now, all businesses should start making sense of the different cloud offerings and check that they meet their specific technical and commercial requirements. Perhaps start with this – do you know the difference between public, private and hybrid cloud models? Do you know your SaaS from your IaaS or even Paas?
Particular areas to pay attention to in your cloud contract are data loss and liability (who bears the risk and the cost if the data gets lost or stolen), data protection and the ability to get your data back on exit.
Looking ahead to 2016
Customer dependency on the cloud is on the rise and the regulatory climate is toughening up. It therefore makes sense that data security should be taken seriously as a ‘boardroom level’ issue. Decoding the jargon of cloud services will enable you to put in place contracts with cloud providers that reflect your requirements, manage your legal risks and protect yours and your customers’ data.