TOM JEWKES

Did you know that when you take a taxi cab in Turkey and there is an accident while you are in the car, then you, the passenger, are liable for the damages? Why? Because you hired the cab. That is what it means for your business when you “go to the cloud.” Businesses think the cloud solves all of their cybersecurity problems, but that is not the case. Your business is responsible.

For most businesses, they have at least one set of regulatory compliance rules to abide by when handling data. For example, if your business accepts credit cards as payment, you are subject to the Payment Card Industry Data Security Standard (PCI DSS). If you track any Personally Identifiable Information (PII) on your customers or employees, you are subject to the Privacy Act. If you are a health care provider and handle Protected Health Information (PHI), you need to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers have the trifecta of data protection liability – having PCI, PII, and PHI to worry about. In the cybersecurity world, regulatory requirements drive your data security plan.

The definition of data security from technopedia.com is “protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites.” In other words, data security is how you protect your customer’s data. Although there are many laws, regulations, and guidelines, they do not dictate HOW to implement the protective measures. THAT is up to the individual business owners to decide. This is important because the business is held legally responsible for any privacy breach that may occur whether the data is in the cloud or in your back-office data closet. You are responsible for its protection.

Some business owners think that if they push their system to the cloud they will be absolved of data security. Many cloud service providers offer Software as a Service (SaaS) solutions for just about every application these days, making it a turn-key solution for many businesses. One example is Office 365. it reduces local IT costs and in most cases provides an increase in service. In many cases, the business can coordinate with the provider to pay for controls like encryption and firewalls in the cloud. Sounds great, doesn’t it? So where’s the problem?

The cloud customer (that’s you) decides who gets access to the application. The employees are usually working from a laptop, desktop, tablet or phone to access the application.

Cloud is NOT threat repellant. If any of your business computers get key-logger malware (malware that records your keystrokes), the hacker will steal your cloud login credentials and use them to access to your data from anywhere in the world. If the data is (heaven forbid) sent unencrypted to the cloud, you are subject to interception of your data with what’s called a man-in-the-middle attack. This happens often when using public Wi-Fi hotspots. Employees are also susceptible to social engineering where they are tricked into clicking on a malicious link or even provide their password information over the phone. As we noted in other articles, the dark web has usernames and passwords available from previous breaches. If people re-use their passwords, the hacker may get access that way too.

Even in the cloud, business owners must have due diligence with data security because they are liable. Your employees need cybersecurity training. Their devices should have antivirus and endpoint detection monitoring – agents watching for unusual behavior. Businesses should have cyber insurance to transfer the risk in case a breach occurs despite best efforts.

So, if you are in Turkey you may want to take the bus. Using cloud services on the other hand, there isn’t any substitute for a robust security plan.

Co-authored by Dan Gavin and Tom Jewkes, the CyberGuys from CyberEye. www.cybereyeaw.com