Cloud computing is set to change the way businesses operate, with many small businesses turning to “the cloud” due to the cost savings and efficiency it provides. According to the research firm MarketsandMarkets, the global cloud market is expected to grow to £77 billion by 2015 from £24 billion in 20101. Additionally, IBM’s global tech trends survey highlighted that in the next two years 75% of organisations will build a cloud infrastructure.
It’s important to consider the pros and the cons when evaluating whether cloud computing is right for your business. You need to decide if benefits such as increased capacity, flexibility and reduction of operating expenses outweigh concerns you may have around outsourcing your data and the accompanying risks of security, privacy and performance issues. However taking active steps to understand how the cloud works and due diligence when looking for a provider can help a business successfully operate in the cloud.
As a small business moving to “the cloud” comprehending that outsourcing means having to accept that you can no longer be 100% in control is often the hardest thing. An organisations assets and data systems are the lifeblood of any business and any reason they can’t be accessed can cripple a business. When selecting a cloud provider there are some important checks and balances you can take to ensure that you retain control and ensure that your technology, resources and data are handled with extreme care.
Regardless of how the cloud is accessed, as a small business owner, you cannot outsource responsibility. It is important to establish and enforce comprehensive due diligence before taking on any new provider. This should involve developing a solid contract that ensures for example that your data is guaranteed to be isolated from their other clients’ data.
Vetting Cloud Providers
Often as a small business, conducting business with big companies does not leave much room for negotiations. Therefore it’s recommended to review a few providers and understand what each is offering.
Start by making sure that the providers know and have experience with all of their software applications, protocols and operating systems. Small business owners should also take into consideration a provider’s familiarity with their industry.
Once a provider has been chosen, the business owner must establish clear lines of communication and accountability, as well as set clear performance expectations and monitor how closely they’re being met. Performance isn’t just about the service being live and accessible to businesses. It’s important to ask the provider questions about their physical security measures, process for vetting their staff, resource training and monitoring, patch management and disaster recovery.
Drafting a Contract
The next step is to establish a contract with your cloud provider. When reviewing the contract terms business owners should ensure that the contract shifts an appropriate amount of legal responsibility to the provider. In the event of a data breach, for example, the cost of notification, monitoring and other requirements should be the provider’s responsibility.
It’s also important to note that the Information Commissioner’s Office (ICO) can fine a business up to half a million pounds for a data breach. Therefore it’s key that the contract clearly states how and when breaches will be reported and the protocol for responding to them. Ultimately it is the small businesses responsibility not to lose data, regardless of whether they are at fault or not.
All cloud providers are required to have comprehensive insurance, including professional liability (errors and omissions). Before signing a contract it is wise to confirm that your provider does have proper insurance coverage.
Mitigating Potential Issues
The Office of Cyber Security and Detica report, issued earlier this year, estimated that cyber crime costs the UK economy £27 billion a year. Research by Hiscox has also revealed that nearly a quarter (22%) of small businesses are concerned about e-risks and cyber crime highlighting the importance of data to businesses.
Therefore it is essential that SMEs have strategies in place to mitigate online risks and consider the potential issues associated with utilising cloud computing. Asking the right questions and taking precautions can help keep data safe. Key factors for consideration include loss of control over relationships, subcontractors and exclusivity.
1. Loss of Control over Relationships
With 14% of small businesses using cloud services for email and 26% planning to follow suit3, it is evident that many companies use or plan to use a cloud provider to run applications they rely on to communicate with key partners or customers. Beyond email, companies may use other apps including payment portals, customer service centers and shared sites with vendors.
Make sure to establish clear expectations from day one regarding expected response times to inquiries and payments; the proper responses to customer queries (including the preparation of a pre-arranged script); and when to escalate problematic communications.
Transparency is important as well. Some business owners want their customers to be made aware when they’re leaving the company’s website, while other business owners prefer the opposite – running their portals on a cloud that is branded as though it is their own.
2. Loss of Control over Subcontractors
Small business owners should also look very closely at any cloud provider that sends offshore any part of its services, particularly if the provider plans on storing or sending data outside of the EU.
3. Loss of Exclusivity
The cloud provider must be able to demonstrate that your data will be isolated from the data of their other customers and further, that access to the data is strictly controlled. The provider must treat your data as a highly valuable asset and not as a mere component of its revenue stream.
Another problem with shared resources is that efficiencies can be created only if the resources are, in fact, shared. Cloud providers are creating data centres throughout the world. This could be a problem for a company that operates entirely in the United Kingdom and knows and obeys UK and EU laws but is less concerned about international laws because it never expects to be exposed to a foreign jurisdiction.
Increasingly, there are new international regulations governing the handling of personal medical information, credit card data and other personal data. A cloud provider should be able to tell its clients precisely where its data is stored and where it transmits.
There is also the issue of who has physical access to servers and other equipment and what security provisions are in place. An occasional visit to a cloud facility can put to rest nagging concerns about physical security and orderliness.
While cloud computing presents new and complex challenges, many issues can be managed by proper vetting of the cloud provider and knowing what questions to ask. Switching to “the cloud” does not have to mean a loss of control or breakdown in security and accountability. Instead, small business owners should embrace a team approach and be vigilant and proactive. As cloud computing continues to grow, risk management must stay a step ahead.