Should I put my small business records in the cloud?

Keeping data safe and disaster-resistant is a major challenge for the average small business – a challenge some businesses don’t even realise is there.

man looking at cloud cropped infoselifeMost small businesses don’t have access to an IT specialist to protect the business’ data against a digital intruder or data loss event. This becomes especially critical where the data is sensitive, such as in medical practices. Often this work can fall to the business owner or a well meaning IT-savvy employee, but rarely is this person equipped to properly navigate the dual minefields that are Information Security and Business Continuity.

Using cloud services can provide small business a level of assurance that may not have been possible with in-house or outsourced IT services.

The inescapable truth of the matter is a Software-as-a-Service cloud provider is more likely to be able to anticipate and guard against an intrusion or data loss event, than the average small business.

Important Note: Be aware that some countries have specific laws in place restricting usage, transmission and storage of some types of regulated data, especially for sensitive medical records.  This may include using cloud services.  For example, the United States has HIPPA for the health industry, while Australia is covered by the Privacy Act (1988). Always perform your own due diligence.

Consider Google’s G-Suite (previously Google Apps) and Microsoft’s Office 365, both offering Email, Calendar, Remote File Storage and Collaborative Document Editing in a Software-as-a-Service (SaaS) format.  Both are at the forefront of internet technology.  Both employ Chief Information Security Officers, with a team of Information Security specialists working toward the same goal. It’s a far safer bet that both of those organisations are better positioned to anticipate and react to catastrophic events than the average small business is.

Notice I used the word “bet” in the previous paragraph.  There’s a downside.  Your data is sharing a service with a large number of other businesses.  If the cloud provider was to experience a significant security breach or go bankrupt tomorrow, you could be one of hundreds or thousands of businesses who’s data is breached or becomes unavailable, through no fault of your own other than you chose the “wrong” SaaS provider.  There’s also a good chance your service level agreement will offer you no real recourse to remedy in such an event.

Ultimately, you are responsible for your client’s data, no matter who executes services on your behalf. How to protect and use that data is a decision you have to weigh up carefully.  A Risk Assessment is required to better explore the options, but in the absence of any significant uncontrolled risks, I’d suggest that a cloud SaaS service will generally be better placed to protect a small business’ data than the small business would itself.

Jason Kempnich

Jason is an Information Security Consultant and CISSP based in Queensland, Australia, with 20 years experience. He has worked in a variety of sectors from federal government through to giant multinational organisations.

You may also like...

1 Response

  1. blitterate says:

    Thanks. This says it all “a cloud SaaS service will generally be better placed to protect a small business’ data than the small business would itself”

Leave a Reply

Your email address will not be published. Required fields are marked *