The debate over whether it’s safer to keep company data close to home or with a cloud provider needs to go beyond the “where” and shine a spotlight on the “who.” Who has access to your data and what protocol do they follow?
Ultimately, you are responsible for the protection and security of your data, regardless of where it is stored. Where your data is safest depends on your company’s own internal processes, infrastructure, controls, training, and discipline, and those of your cloud provider.
Consider this fact: The most common reason companies suffer from a data breach is because of an employee error. In a recent survey by the Association of Corporate Counsel, 24% of in-house lawyers blamed employee error for a breach at their company. That’s higher than phishing attacks (12%), third-party access (12%) and lost devices (9%).
A mishap by an employee could happen no matter where the data resides – on-premises or in the cloud. To tamp down the risk, it is essential that companies take a hard look at their internal processes, including periodic training for all employees and robust on-going monitoring of controls, to ensure policies and procedures are being followed.
CFOs can’t pass off the responsibility for data security to the IT department and hope it’s getting done. Similarly, you can’t assume the vendor has adequate controls and procedures in place. It’s not only the right thing to do — it’s increasingly becoming an expectation.
At the board level and by the Securities and Exchange Commission, executives are getting questioned on what they’re doing about their cybersecurity risk, and they are getting pressed to come up with a game plan for when (the issue is no longer about if) a breach occurs. Safeguarding corporate assets is a fundamental responsibility of the CFO. Be sure you are asking the tough questions and allocating the right resources in this critical area.
Moving to a cloud vendor can allow customers to take advantage of scale — a cloud provider can spread the cost of data security across its many users, making the per user cost much more affordable.
However, you need to do your homework here — not all cloud providers take the same level of care. Ask for and critically review the vendor’s SOC1 (if they are processing your data) and SOC2 or ISO 27001 (for data security controls). These reports are audited by third-party audit firms and report on the controls in place at the vendor location and their effectiveness. Read the reports critically. Understand the care the vendor takes to protect your data. Obtain updated reports at least annually and make sure your cloud provider is staying current as security protocol evolves.
When deciding whether to expand their use of the cloud, some companies will find the right answer for them lies in their resources. You have more control over what goes on under your own roof.But if resources are tight and you’ve got a small team working your data center, the answer may be more obvious that a cloud provider will keep your data better protected. That’s unless the cloud provider is also operating on a shoestring.
Pat Voll is vice president of RoseRyan, a finance and accounting consulting firm based in the San Francisco Bay Area.