Cloud storage services like Microsoft Azure, Google Drive, and Dropbox are the leaders in an industry expected to be valued at $200B globally by 2018. For business owners of any size, cloud storage of files presents both opportunity and risk. Storing digital files online can provide a valuable backup in the case of accidental deletion or system-wide failure. This system also allows for files to be shared easily between users, even across great distance, without long email chains. However, keeping files secure continues to be a concern. Small business owners need to weigh several factors when considering cloud storage and keeping sensitive data secure.
How it Works
The Cloud is essentially a set of internet storage servers shared by lots of different users to store information. In the immediate sense, this is great for everyone: In the past if you wanted to store information online, you would have needed to rent or own your own server to do so, an amenity which small businesses didn’t likely have the budget for.
Today, these services are available to everyone and often even come free. If you use any Google service like Gmail or Google Drive, all that information is stored in cloud servers. If your website is hosted through a service like Squarespace or GoDaddy, it’s in the Cloud. Any app you use which syncs between your computer and your phone or tablet also uses the Cloud to do so.
The Cloud allows us to lead lives of integrated convenience, but there’s also reason to be skeptical of its ease of use. Even if you love buying songs with one click, it’s a little unsettling to think that the credit card information you’ve entered into the iTunes store is stored somewhere online along with hundreds of thousands of others. If that sounds like a hacker’s payday, it’s because it can be, without the right security in place.
One of the most infamous cloud security breaches to date was discovered in January 2015, when health insurer Anthem announced as many as 80 million member files might have been stolen by hackers. Those files included information from Social Security numbers to addresses to prescriptions and medical diagnoses. At the time, Anthem described the attack as “sophisticated” but further investigation revealed many flaws in Anthem’s cloud security which allowed a rather simple attack to find success. Anthem failed to encrypt their data and didn’t adequately educate their employees about phishing scams, which occur when a criminal sends an email posing as a legitimate person to trick the receiver into sending them sensitive personal information or clicking a corrupting link.
The first security feature a business owner should require of any cloud service storing their sensitive data is encryption. Encryption ensures that even when your data is at rest on a server, it’s been translated into a code which won’t be un-coded until you enter your password and access it. Not even the cloud storage provider will know what you’re storing with them, and if someone does break into the server, all they’ll get is gibberish. Since Anthem failed to encrypt their files, all the hackers needed to do was gain access to one software system to get all the information in storage. Depending on the sensitivity of the information on your server, you may or may not choose to pay for an encryption service, but it’s the height of digital security available at this time. Computer security pioneer John McAfee once said, “In this age of communications that span both distance and time, the only tool we have that approximates a 'whisper' is encryption. When I cannot whisper in my wife's ear or the ears of my business partners, and have to communicate electronically, then encryption is our tool to keep our secrets secret.” 1
"In this age of communications that span both distance and time, the only tool we have that approximates a ‘whisper’ is encryption."
One area where even small businesses without many files should consider encryption a priority is in choosing their credit card payment processing partner. A 2012 Trustwave security report found that 90% of credit card data breaches impacted small businesses, especially retailers.2
Even if your POS systems don’t store the credit card data after the payment is made, in the moment when your card reader connects to the Cloud to confirm and transfer payment, there’s a potential for theft. By contracting with a vendor that encrypts the data during this transmission, a small business can close this security hole. And if the server does store the credit card information after it’s processed, encryption is essential there as well.
If credit card data is stolen at either point, not only will the business’ reputation take a hit, but large card carriers like Visa or MasterCard might choose to no longer work with the business. Additionally, the business could be liable for any fraudulent charges made to the stolen cards, especially if they don’t have an EMV chip reader. The EMV chip security measure has caused a decline in the theft of information from POS systems in the US since its slow adoption, but small businesses especially may not have made the transition because of the cost of implementing the new system.
Increased traffic in the e-commerce sector means small businesses relying on online portals to process card payments are at greater risk than ever. If you have an online payment portal for your business, security at the moment of transaction is essential.
Some of the more inelegant forms of phishing email scams are easy to spot, like when you get an email asking for your bank account information so that someone can deposit a surprise inheritance from a relative you never heard of across the world. But others can be very convincing. If a hacker is able to gain access to your company’s email server, they will be able to send emails from an internal address. Often they will spread viruses or spywares in the form of software updates, where recipients are instructed to follow a link to download and install. This is what Anthem believes happened in the case of their breach—to no less than five of their high-ranking IT professionals.
It’s extremely important for small businesses to have a protocol in place for such things. Tell your employees that any updates will come from one or two specific people, and all others should be ignored. If they’re working from desktops or laptops all connected to one server, you may want to administratively prevent any installation of new programs.
Still, in some cases even this step might not be enough. Earlier in 2016, several businesses accidentally exposed W-2 information, after emails from thieves posing as the CEOs of those businesses were sent to HR. A more human-focused step to prevent these kind of scams from succeeding is empowering employees to follow up with a phone call or reply email when sensitive information is requested, no matter what the rank of the person doing the asking.3
One particularly compromising element of digital security is password protection, but not necessarily for the reasons one might think. It’s not just obvious passwords that lead to security breaches. Even the passwords we think are most secure can fail easily when a hacker is truly determined. A 2014 joint investigation between Microsoft and Ottawa University revealed that it isn’t a combination of capital and lower case letters, or requiring the use of symbols, or a length requirement, or even all of these at once, that makes a password secure: It’s that a password be truly random, something humans are bad at constructing and even worse at remembering.
"A lot of the password completion policies don’t push people toward randomness and things that will pass 10-14 guesses, they push people toward predictable strategies that will not."4 - Cormac Herley, Microsoft Password Expert
For a business owner, that means over-emphasis on password security could lead to oversight in other areas where security might be both more effective and easier to enforce. Still, employees should be educated about what makes a better password than “P@$$word,” and for systems with sensitive data, employers would do well to require that passwords be changed every few months, with no allowance for repeats. The general rule that Microsoft and Ottawa University found in their study is that the longer the password, the longer to crack it.
It’s never recommended to keep a spreadsheet or even a written list of passwords, as that not only provides easy access but also a handy list of all your accounts. Though this presents a serious risk, it’s still common practice to keep lists or share login information around an office, especially a small one.
It’s easy to be paranoid in a world where so much information is vulnerable at the click of a mouse. You can consider dividing up information between multiple online storage providers so that no one cloud server hosts all your sensitive information. If you’re running off a private server, contract with a digital security company to keep it secure. Preventative security steps, whether you’re using a free public cloud service or your own private storage, will give you peace of mind along with the modern convenience of connectivity.