Most organizations that consider switching to cloud-based services are rightly concerned about security. In addition to the financial consequences of a data breach, the reputational harm from losing your clients' or employees' private data can be crippling. However, moving to the cloud can actually make your data safer if you know what to look for.
People are the biggest weak spot in any security system. Employees will usually do what's most convenient for them even if it's less secure. For example, if you aren't yet using cloud services, employees might be sending themselves unsecure emails with confidential client files so that they can work on them on their home computers.
Your first step in evaluating a new system should be determining what your employees need to do and how they'd ideally like to do it. If new software makes your employees' lives easier, they'll be more likely to use it and less likely to turn to shortcuts that undermine your security efforts.
With early online services, organizations often had a single user name and password shared by all employees. This is a major security risk that goes beyond trusting that an employee won't go rogue.
If one employee has a device stolen or the organization's password is guessed, all of the organization's data is at risk. Each employee should have a unique login, and your managers should have the ability to restrict access to only the clients or files each employee is working on. This reduces the potential harm when a single password is compromised.
Having multiple layers of security provides similar benefits to access controls in that it limits the damage of any single breach. For example, your first security layer might be a simple password-based login that allows you to view account information. Check-writing ability might be behind a second security layer, such as two-factor authentication that sends a security code to the user's phone.
That way, if the user's password is compromised, the thieves might gain access to confidential information, but they would be unable to write checks and drain the client's bank account without also stealing a physical device.
Encryption records data in a way that prevents it from being read even if it's intercepted. Some services only encrypt data as it's transmitted. This allows data to be safely sent over WiFi networks but doesn't protect it if the servers where the data is stored are breached.
Other services keep data encrypted on the servers. This keeps their own employees from accessing it, and also makes the data useless to anyone who does gain access to the servers.
There are levels of encryption, with higher levels being harder to break than lower levels. As you add layers and levels of encryption, costs rise, so you need to balance the cost of extra security against the sensitivity of your data.
Logging seems to go against privacy and confidentiality, but knowing who accessed what files and when serves two critical security purposes. First, logging can help detect unusual patterns to alert you that someone is trying to gain access or has already gained access to your data. If you're alerted in time, you may be able to increase your security before your data is compromised.
Second, if your data has been compromised, logging can help in your recovery. It will let you know exactly what data was stolen, and will give you information about the perpetrators that you can turn over to law enforcement or use in court.
While you may feel safer with your files locked up in a filing cabinet, cloud services actually offer better physical security. When you keep information in your office, a burglar usually only has to pick a couple of locks to steal your computer or filing cabinet at night or on the weekend.
On the other hand, cloud service providers usually keep their servers under close guard. This often includes 24/7 security guards, video surveillance and biometric access to the actual server room.
Data theft isn't your only security concern. Fires, floods and other disasters can also destroy your data. Most offices that keep information internally keep their paper or external-hard-drive backups in the same building. If the building is destroyed, you effectively have no backup. Cloud services offer multiple layers of backups. First, you have the copies you keep locally. Next, you have the data stored in the cloud. Finally, most cloud services have backup servers in a different city or part of the country to prevent even major disasters from destroying the data.
Your final consideration should be a provider's reputation. Nearly any cloud service provider will look to wow you with security certificates and statistics. However, there is a trend in the software industry to push developments to make sales even if all of the bugs — even those that could reduce security — haven't been patched yet.
As with any service provider, look at the company's reputation for following through on their promises, their commitment to building long-term relationships and how they handle problems when they arise. Beyond the technical requirements, you're looking for a strong partner because, ultimately, your own reputation depends on their ability to protect your data.
Finding a safe cloud based service for your organization can sometimes be daunting. Now that you know some of the important best practices to look for you can go confidantly through your search and keep your data safe. If you are interested in learning more about how we provide trusted outsourced accounting services for your business, sign up now for a consultation.