Auld Lang Syne was still ringing in our ears when we saw the first major cyber security breaches of 2014. Public backlash following late 2013 incidents quickly followed.
Photo-sharing app Snapchat was subject to a cyber attack where hackers exposed the usernames and phone numbers of 4.6 million users. The ‘Syrian Electronic Army’ also hacked Skype’s Twitter and blog accounts to allege the sale of data to governments and publish contact details of outgoing Microsoft chief executive Steve Ballmer. Target, the third largest US retailer, is also being sued by customers after hackers installed malware onto the computer systems at the checkout desks and subsequently stole data from 40 million credit/debit cards.
Given the ever-increasing prevalence of worldwide cyber security attacks, it is no surprise that raising awareness and increasing efforts to improve protection and tackle breaches is a high priority for the UK government. Top of the agenda is a major public awareness campaign to make individuals, and small and medium-sized enterprises aware of cyber security risks. However, cyber security remains a key board level issue requiring immediate attention.
As organisations become ever-more reliant on cyberspace to transact, store and/or disseminate confidential and proprietary information, they are increasingly vulnerable to cyber threats. A breach in a business’ security can expose it to fraud, data loss, intellectual property theft, regulatory sanctions and, despite being the victim, claims from affected third parties.
As part of this reliance on cyberspace, many businesses are moving to cloud computing; purchasing ready made software, platforms and infrastructure, hosted on remote servers. Cloud computing is clearly an attractive option for businesses. Benefits include:
- Pay as you go – no or reduced up front installation and capex costs or licence fees;
- Improved support and maintenance;
- Accessible anywhere in the world.
Despite the advantages, some businesses remain hesitant about adopting cloud computing services in their IT infrastructure and there are inherent risks. External hosting of servers and sensitive data is always going to cause concern due to the surrender of control; What if the systems go down? What if data is lost? What if the data centres are hacked?
Data security is of paramount concern for IT professionals and senior management alike. Such concerns will only increase when the new EU Data Protection Regulation comes into force (potentially later this year) with current proposed penalties (as approved by LIBE at the European Commission) for serious breaches of data protection law of up to €100 million or 5% of global turnover (whichever is greater).
What can you do to mitigate security risk when comparing cloud solutions? Here are six tips to think about:
- Know where you data is. How can you be confident your data is secure if you do not know where it is stored? Establish where your data is stored and ensure you have access to such data when you terminate the service or if your cloud provider goes bust;
- Back up your data. Secure back up of data is key. If you do not have the facilities to back up data, ensure your cloud provider does so regularly;
- Ask questions. You are paying for a service. Don’t be shy about asking what security measures your cloud supplier has in place to protect its servers, both physical and technical;
- Don’t settle for standard. Many cloud providers will tell you that both their systems and terms and conditions are standard. However, cloud providers may be prepared to tailor their solutions to your individual security requirements. From a legal perspective, if the standard terms and conditions impose an unfair balance of risk, look to negotiate.
- Test and re-test. What better way to ensure the security of your cloud solution than to test its vulnerabilities. Engage a consultant to carry out penetration testing and assess emergency response strategies.
- Get insurance. Ensure you have appropriate cyber insurance in place to protect you in the event of a cyber security breach.
Help is on the way for consumers and SMEs too. The European Commission recently set up an “Expert Group”, including cloud providers, lawyers and academics, tasked with establishing a new set of model cloud computing contract terms. The group will assist the Commission in improving the legal framework for cloud computing contracts with the aim being to increase trust, confidence and ultimately take up of cloud services by consumers and SMEs.
The Commission believes that many consumers and small businesses are reluctant to purchase cloud services due to unclear cloud computing service contracts. The group, comprising 30 individuals and companies from both the public and private sector, will develop best practices to improve trust and confidence amongst consumers and SMEs, and is due to report back in spring 2014.
One of the key challenges for businesses is the management of security risks to data, intellectual property, know-how, confidential or sensitive information or infrastructure that depends on such data or which are vulnerable to cyber attack. If you are thinking of utilising cloud computing services, do your homework, investigate the security measures, and ensure your have the right to a quick and easy get out if you are not happy – with your data in hand.