During a recent meeting we had with an organization, we asked their director if they had assessed the cybersecurity of the personally identifiable information they obtained from donors and employees. She replied, “We don’t need to worry about that, it isn’t on our servers. It’s in the cloud.”
Unfortunately, we had to inform her that, if the cloud service provider was hacked, her organization would share liability for the compromised data. And the penalties would include having to provide credit insurance, possible fines and penalties, and the hit to their reputation.
On top of all that, there will always be elements of security that you’re fully responsible for, such as determining who should have the appropriate level of access to sensitive data in your organization.
How to Protect Your Data in the Cloud
So, what should you be doing to protect data that is stored in the cloud?
1. Be Selective in Who You Entrust With Your Sensitive Data
Do your due diligence work before selecting a vendor to make sure it is a reputable business with a good track record of security.
2. Make Sure You Have Your Own Security House in Order
Even if data is stored in the cloud, it can still be accessed from your computers if they are compromised. Use a professional to help you make this assessment, unless you have qualified in-house IT staff.
3. Make Sure Your Cloud Service Providers Have Good Controls in Place to Safeguard Your Data
This can be accomplished by asking them for what is known as a System and Organization Controls (SOC) report. Your vendors should be hiring outside experts to test their security controls, and the results of this testing will be summarized in the SOC report.
Once you have obtained the reports, you have to read them. Are there any findings in the report that would cause you to rethink entrusting them with your data? If you don’t feel qualified to read and understand the SOC report, you can outsource this function.
4. Understand Roles and Responsibilities Between You and the Cloud Provider
Statements of work, service level agreements, and SOC reports define what you’re responsible for versus what the cloud provider will do for you. For example, cloud providers will provide you tools to further secure accounts with multi-factor authentication. However, it is your responsibility to actually enforce multi-factor authentication on all cloud accounts.
Another example would be that cloud providers provide monitoring tools, such as to prevent or detect unwarranted network traffic. It is up to your organization to actively monitor that.
Finally, there will always be processes that you’re fully responsible for; for example, ensuring that only appropriate individuals have access to sensitive data. The cloud vendor would not be in a position to determine whether Jill from the accounting department should be allowed to modify sensitive data. It is unlikely that any cloud provider will fully assume your cybersecurity risk.
5. Formalize This Process to Ensure That It Is Not Just Done Once and Forgotten
How often you do this process is a function of risk. How much sensitive data does a given vendor hold? What would be the impact if it was compromised? For higher-risk data, you may want to examine security access annually. For others, your policy may require it be done every two to four years.
6. Consider Cyber Insurance if You Work With a Lot of Sensitive Data
These policies are relatively inexpensive and can help with credit monitoring and PR issues as well as shoring up your system.
7. Consider Adding SOC Report Clauses to Your Contracts With Cloud Service Providers
Adding a SOC report clause to your contracts ensures your third party vendor is responsible for staying up to the latest codes.
Whether it is your general ledger software provider, payroll processing company, or donor database software vendor, it is up to you to ensure these companies are properly safeguarding the data that has been given to you.
According to the Association of Certified Fraud Examiners, cyber fraud is the number one type of fraud currently. Taking the actions above can help make sure your sensitive data in the cloud doesn’t fall victim to malicious hackers.
If you’d like to discuss your organization’s cybersecurity, contact one of our IT Services team members.
© Clark Nuber PS, 2022. All Rights Reserved.