Security and the cloud – how often have we heard the two topics discussed together?
The cloud is secure. It isn’t secure. Conflicting information can drive anyone mad. Adding on the complexity of regulations further confuses the issue.
As part of our second Annual Small Business Cloud Storage Survey, we gathered new data on the topic of security and the cloud, talking to experts who provide insight into this perplexing subject.
What Did We Find?
- Small- to medium-sized businesses (SMBs) rank security as their top priority when shopping for a cloud storage provider.
- 87% of SMBs say the cloud is very or somewhat secure.
- 53% of SMBs say that the International Organization for Standardization for the protection of personal data in the cloud is an important regulation to follow.
- A quarter of SMBs still only use a free version of cloud storage.
- A small but significant percentage of SMBs using free cloud storage services are storing sensitive data, such as banking and medical information.
Clutch surveyed 293 SMBs that use at least one cloud storage platform. 51% work at companies with 50-500 employees. All respondents work at an associate level or above.
The Weakest Link: Yourself
SMBs listed security as their top priority when selecting a cloud storage provider.
However, 87% of SMBs already rank the security of the cloud very highly.
This seems like a contradictory result. Why would SMBs place such heavy emphasis on security while shopping for their cloud storage service, when they know the cloud is already secure?
Experts chalk the result up to the complexity of the cloud, as well as user involvement.
“You have the people [who] agree that the cloud is secure,” said Mark Estes, Regional Director of Sales at Qubole. “But they also understand the caveat that it is only if you use it in the correct manner… There’s a lot of things that go into how you secure the cloud. It’s a pretty new world from an IT perspective, so there’s not a huge amount of people who have a lot of expertise in this. There’s probably some hesitancy over whether or not they can use it securely, even if the cloud as a whole is considered secure.”
In the end, it doesn’t matter if you have every finishing touch to your cloud storage’s security – because the biggest threat to cloud security is human error.
“I recently did some penetration testing for a financial company,” Jacob Ackerman, CEO of SkyLink Data and Business Services, told us. “Our job was todetermine weak points. We used a fictitious email address and I was able to get their CFO’s password with a spear phishing attempt within 15 minutes. So from that point forward, who cares how good your encryption is? I had the person’s password… The system allows me full and uninhibited access because it thinks I’m that user.”
Ackerman suggests that every company implement dual-factor authentication to prevent this sort of episode from happening. Dual-factor authentication means that the user must present several separate pieces of evidence to an authentication mechanism to gain access. A common example in the digital age requires inputting a passcode that has been texted to your phone to log into a service.
Overall, all the experts we spoke to emphasized the importance of protecting your cloud storage service from its weakest link – the user.
“A lot of these things aren’t just magic,” said Estes of Qubole. “My data isn’t suddenly secure just because I put it in the cloud. There’s a lot of things you do. The cloud enables the security of data as long as you do things correctly.”
Regulatory Maze: ISO, PCI, and HIPAA
53% of SMBs say that it is important to follow the International Organization for Standardization’s regulation for the protection of data in the cloud.
Known as ISO 27018, the regulation provides a “code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.”
To comply with the standard, cloud service providers must…
- Agree not to use customer data for their own purposes without the customer’s express consent
- Establish clear and transparent parameters for the return, transfer and secure disposal of personal information
- Disclose the identities of any sub-processor they engage to help with data processing before customers engage in a contract
“We all know what ISO is because it’s so far reaching,” said Ackerman of SkyLink. “It impacts IT and medical and engineering. It is so the world is on the same page when it comes to all these different technologies.” However, he warns that because of the regulation’s breadth, many don’t understand its tangible impact on businesses.
Two more popular regulations directly target specific industries and types of data – HIPAA and PCI.
1. Payment Card Industry Data Security Standard (PCI)
This regulation helps alleviate risks related to the processing, storing and transmission of credit card information. It is not a law, but rather mandated by major branded credit cards themselves, including Visa, MasterCard, and American Express, among others. The regulation is administered by the Payment Card Industry Security Standards Council, a supposedly independent agency.
“PCI was in response to the major four credit card companies – Visa, MasterCard, American Express and Discover – seeing the writing on the wall and realizing – if we don’t come up with voluntary standards, the government’s going to put them on us,” said Ackerman of SkyLink. “So we might as well get ahead of the curve and then we control it.”
Despite its existence, Ackerman says that many small businesses are not compliant with the regulation, and the US is significantly behind Europe in securing card data.
2. Health Insurance Portability and Accountability Act (HIPAA)
This regulation is the only one that’s law. It was enacted on August 21, 1996 and specifically mandates national standards for electronic health care transactions. A revision in September 2013 included cloud service providers within its scope.
HIPAA is law perhaps because it’s the most serious. “A credit card goes for $2 on the black market. A full medical record from A to Z can go for $100 or more,” said Ackerman. A business can be sued for up to $1.5 million per year for violating the regulation.
Don't Skimp on Cost: Sensitive Data and Free Cloud Storage
A quarter of SMBs are still exclusively using free cloud storage services.
Free cloud storage can work for certain types of businesses. “It really depends on what these people are trying to do,” said Estes of Qubole. “Is it literally just trying to back up data somewhere else reliably, and they only have so much data? Then the free version will probably work. If you’re trying to mimic what used to be an enterprise storage platform, then they’ll end up in the paid versions – it gets them more storage and all the enterprise-related features they’ll probably want.”
However, our results found that 14% of these SMBs are storing medical records and 11% are storing bank card information in their free cloud storage.
For the most part, cloud experts cited this as unacceptable behavior.
“If you need to be HIPAA compliant or PCI compliant, you should be using the highest level of security that you can obtain, and usually that’s not present on most free cloud storage accounts,” said Jeff Alerta, Director of Technology at Inverselogic, Inc.
“If it won’t kill your business to lose your information or have it compromised, then you can take advantage of free cloud storage,” he also said. “But if it would be devastating if the information you need to store was compromised, then you should go with paid cloud storage, because they have beefier security.”
- Be sure everyone knows how to use their cloud storage service securely. The biggest threat to cloud storage security is human error.
- If it’s important for your company to follow regulations, know their requirements well.
- Using free cloud services to store sensitive data is a bad idea. Typically, only paid cloud storage can offer an adequate level of security.
2015 Small Business Cloud Storage Survey
Published November 18, 2015.
To request additional information or provide feedback on this survey, contact [email protected].
Clutch surveyed small businesses in the US to determine the quantity that use cloud storage. The survey also addressed the popularity of cloud storage services in the small and medium business (SMB) market and customer satisfaction.
- Nearly half, 48 percent, of small businesses do not use cloud storage.
- Small businesses identified Dropbox as the most popular cloud storage service, followed by Google Drive, Apple iCloud, and Microsoft OneDrive.
- Apple iCloud received the highest Net Promoter Score (NPS), a standard measure of customer satisfaction and loyalty, followed by Dropbox, Google Drive, and Microsoft OneDrive.
The full survey included 744 respondents who were employed full-time by firms with between 11 and 1,000 employees and held an associate position or higher, such as manager, vice president, C-level executive, or president/CEO.
The survey was conducted throughout October 2015. The total number of respondents varies for each question. To learn more about what users think about these cloud storage service providers, read the full client reviews.
1. Quantity of Small Businesses that Use Cloud Storage
Of 438 small businesses, 48 percent do not use cloud storage, while 52 percent do use cloud storage.
The data indicates room for growth in small business cloud storage adoption. But, why are small businesses reluctant to adopt cloud storage? A lack of awareness about Cloud capabilities, as well as security and compliance concerns may hold small businesses back, according to David Amaya, consultant at Cardinal Solutions and Cloud thought leader.
“Yes, cloud storage has been around for a while, but there are still many people who do not know the full scope of what can be done with it. Security and compliance concerns hold many back from adopting the Cloud. As small businesses become more aware of what is possible and how the Cloud addresses these concerns, the number using the Cloud will continue to increase."
— David Amaya
2. Most Popular Cloud Storage Service Providers
The small businesses that use cloud storage identified Dropbox as the most popular service, with 53 percent of respondents indicating that their firms use this service.
Google Drive, at 45 percent, Apple iCloud, at 34 percent, and Microsoft OneDrive, at 30 percent, followed Dropbox as the top four most most popular cloud storage service providers.
Reflecting on this finding, Kevin McDonald, an instructor in the Master of Professional Studies and Technology Management program at Georgetown's School of Continuing Studies, pointed out that small businesses have to consider a number of factors when selecting a cloud storage service provider.
“Most important, a small business has to determine the need it is seeking to fulfill. This may drive some of the integration requests and needs."
— Kevin McDonald
3. Customer Satisfaction Ratings for Cloud Storage Service Providers
To determine the cloud storage services with the highest customer satisfaction ratings, Clutch calculated the Net Promoter Score (NPS) for the top four most popular providers.
The NPS measures customer satisfaction and loyalty based on responses to the question, “How likely is it that you would recommend this service to a friend or colleague?”
A total of 289 respondents selected the cloud storage provider with which they were most familiar and provided a numerical rank, on a scale of one to ten (with ten being the highest possible score), based on their willingness to recommend the service.
Calculating the NPS required separating the percentage of detractors (rankings of zero to six), passives (rankings of seven to eight), and promoters (rankings of nine to ten), for each cloud storage provider selected. Then, the percentage of detractors was subtracted from the percentage of promoters to attain the NPS.
Small businesses identified Apple iCloud as the most satisfactory cloud storage service, with an NPS of 62.
Dave Linthicum, senior vice president of Cloud Technology Partners, attributes this finding to the popularity of Apple devices and platforms
“iCloud is valuable to me because it makes my device a disposable item. For some reason, if my iPhone or MacBook is destroyed or ripped off, I can use iCloud to delete the data on the device. I can also disconnect from the device, replace it with another device, and restore the data that was backed up on iCloud, which happens multiple times a day. This process is a huge benefit and extremely helpful for people who use Apple devices and platforms."
— Dave Linthicum
Dropbox, with a score of 54, Google Drive, with a score of 50, and Microsoft OneDrive, with a score of 45, represent the top four most satisfactory cloud storage services.
These NPS scores are based on the rankings given by the 42 small business employees who selected Apple iCloud as the service provider with which they were most familiar, 84 who selected Dropbox, 64 who selected Google Drive, and 40 who selected Microsoft OneDrive.