Keeping Data Secure as Information Moves to the Cloud
By Tommy Richardson, Former CTO of ADP and Chief Technology Officer and SVP of Technology, Nextech's
Data breaches happen every day as hackers infiltrate companies’ computer systems to gain access to private content, such as financial data and protected health information. We’ve all seen the headlines: Yahoo in 2014 with 3 billion user accounts hacked; eBay the same year with 145 million accounts compromised; and more recently, Equifax in 2017, with 143 million accounts accessed—some of them including credit card information. Healthcare systems have become a significant target for cyber-attacks, due to the sensitive information available on these systems, mostly targeted for identity theft. Healthcare has the highest percentage of breach incidents over any other industry and one in every four Americans have been impacted by a healthcare data breach. The reality is it’s getting harder and harder to keep confidential information secure, and it appears this will only get worse for companies across all industries as technology use becomes ubiquitous and those with nefarious intentions become more sophisticated.
No one is immune
Although many companies, especially smaller ones, think a data security breach won’t happen to them, the truth is it can occur at anytime to any company no matter what the size or scope of services—and the consequences can be severe. Data loss, a tarnished reputation and possible penalties and fines are just a few of a breach’s potential downstream effects. If a company falls victim to ransomware, productivity can be halted until the company pays to unlock private information or restores a good, current backup of their systems, which can be costly in terms of money, time and output.
The need for strong data security has existed for years. However, the decision by many companies to store and access information in the cloud has underscored the importance of data protection. While in some ways the cloud may be considered a larger target for cyber-attack, it can also serve as a safer location to store protected information because of the robust security protocols availablethere. In many cases, a practice can transfer much of their data protection risks to the cloud provider when adopting their systems.
"To mitigate the “human factor,” companies should offer detailed and frequent training that outlines why data security is so important"
Consider the small company that houses private information on an internal server using stand-alone software. The onus is on the company to have the appropriate security practices and protection in place, in order to safeguard information and prevent a breach. This may be challenging if the company doesn’t have expert staff who are familiar with the latest security strategies or the resources to onboard thetoughest protections. However, if that same company shifts information to a reputable cloud-based software provider, then the software company can assume some of the work inpreserving data security. Since the technology company is focused solely on providing state-of-the-arttechnology, it should have the necessary experts on staff to proactively avoid security hazards, continuously monitor the network, protect systems from the latest exploits and rapidly respond to unusual occurrences. The technology company will also keep the software up-to-date, ensuring the latest protection against application and network vulnerabilities are in place.
Seek the right partner
Unfortunately, not all cloud-based technology vendors offer the same level of protection. That is why it’s imperative before partnering with a vendor to make sure it prioritizes robust security. This means the company should be hiring experienced staff that have deep knowledge in how to effectivelyguard confidential information. They also should have best-practice protections in place, including solid firewalls, regular intrusion testing, network monitoring, security alerts and so on. They should require the use of passwords that go beyond alpha-numeric characters and suggest that those passwords be periodically changed to thwart off compromised account attacks. They also should have multiple layers of protection depending on the data’s degree of required security. For example, if a solution includes protected health information, the system should restrict access to only those individuals in the company who are allowed to view that information. Another common problem is keeping laptops and servers that store confidential information encrypted. If one of these systems is lost or stolen, sensitive information can be exposed to unauthorized parties, causing a significant data breach. This is one less worry when keeping your sensitive data in a cloud application that utilizes the latest encryption technologies. You should also add security questions to your RFP or RFI bids that follow common security standards such as NIST and SOC II.
Educate your staff
While a security-focused technology provider can safeguard your company’s data to a certain extent, your employees play a critical role, as well. When a company’s employees fail to follow established protocols, it increases the likelihood of a data security incident. For instance, if your software passwords are not strong enough. A skilled hacker can quickly penetrate your network with a brute force attack. Similarly, if a staff person doesn’t understand that he or she shouldn’t send protected information via unsecured email, then he or she can open the company up to privacy violations. To mitigate the “human factor,” companies should offer detailed and frequent training that outlines why data security is so important. This training should also cover a staff member’s role in maintaining data security and what the consequences are to the organization if there is a breach.
A long-term commitment is key
Preserving data security should not be a one-and-done exercise, but a continuous responsibility. If your company relies on a cloud-based technology provider to maintain security, you should regularly touch base with the vendor to check that they are using the most current protocols and preventive measures. Also, consider leveraging demand certifications such as SOC II ISO 27001 and 27002 and regular security penetration testing.Staff education should also be ongoing to ensure the concept remains top-of-mind and educates users of the latest common cyber-attack vectors. Although a breach is always a possibility, organizations that fully commit to avoiding one can potentially head off disaster and high-cost fines as the result of data breaches.