Living in the Cloud: Practical Approaches to Cybersecurity Risks (Part III of III)
I always loved Tarzan movies, especially the movies starring Johnny Weissmuller as Tarzan. (Here is a sample). Tarzan always had a nice house, a great tree house with vines swings for diving and jumping into the water.
In the 1990s, Bill Gates of Microsoft fame correctly predicted that computing power and capabilities would eventually move from the desktop to the Internet. In essence, Gates was able to foresee the importance of cloud computing.
Businesses are rapidly moving their into the cloud. It is efficient. The old land-based computers are being replaced with access to cloud-based systems. These complex services are big business, result in cost savings, scalability and efficiency.
Businesses are increasingly relying on the cloud to store confidential and sensitive information. One-third of information technology budgets are used for cloud services. Rapid growth in cloud storage is expected over the next five years. But this trend creates real and significant data risks.
A company’s risk assessment has to address cloud storage risks to determine security vulnerabilities, likelihood of occurrence and impact of a data security incident. Such an assessment has to include:
- Review of cloud vendor infrastructure and security program
- Transparency of data protection security system
- Use of encryption (set or in motion) and possession of encryption keys
- Location of cloud storage (country)
- Cloud company procedures for monitoring, detecting and responding to potential incident
- Company access to security system, if necessary for potential incident or assessment/audit
- Cloud company monitoring of cyber risks and commitment to update protection
- Cloud data logs and procedures
- Cloud company procedures for handling government subpoenas or search warrants
- Company auditing rights of cloud company’s operations
- Regulatory requirements applicable to cloud company data services
- Cloud company insurance, indemnification and loss provisions
- Company procedures for uploading of sensitive information and protection of sensitive information
- Company procedures for addressing employee security risks relating to unauthorized access to cloud data
As companies navigate third-party cyber risks in the cloud computing era, third-party risks are expanding well beyond traditional notions of bribery, sanctions and legal risks to new and significant cyber risks where data protection is paramount.
Corporate boards and senior management have to focus on cyber strategies to mitigate risks and monitor operations to intervene and respond quickly to a potential threat. In the end, best practices focus on robust risk assessments, careful planning and risk mitigation and buy-in for corporate crisis management.