Whether you’re starting a new business, or you have an established small- to medium-sized business, entrepreneurs today have a unique challenge as well as an opportunity when it comes to adopting the cloud. Before there was a wide array of cloud providers serving almost every business need, organizations regardless of size had to maintain IT departments or consultants and extensive physical infrastructure to run their businesses.
But the hidden downside to this approach wasn’t just long-term cost -- it was security.
Securing your systems and data in today’s threatening environment is complicated -- very complicated. It requires technical specialists and a complicated array of ever-changing security products. Monitoring, maintenance, policies, upgrades, patches, etc. are all hidden costs of maintaining your own IT infrastructure.
Even if a company has the financial resources, finding and retaining the skilled technical security talent necessary to succeed is exceedingly difficult. The number of skilled people haven’t scaled with the demand. Unfortunately, in the “run your own IT” model, all forces are stacked against SMBs succeeding in being able to secure their systems.
As the founder, how do you ensure all systems are secure? Not surprisingly, cloud companies help bend the economics of security. Organizations like Dropbox, Google, Microsoft, Salesforce, etc. all have amazing resources to secure their environments. Not only can they attract and retain the best and brightest by offering unique challenges at a massive scale, they also have the resources to build out comprehensive teams.
A good portion of security responsibilities is transferred to cloud providers. From a customer perspective, there are also no hidden costs. Security is something that is baked into a highly predictable subscription fee.
So let’s assume that you embrace the cloud like many small companies already have. The question is: “How do I make it secure?” Here’s some practical advice.
1. Choose wisely.
Although cloud services have the potential for being considerably more secure than on-premise solutions, not all are created equal. Test the commitment of the cloud provider to security by reviewing which certifications they have. A cloud provider that’s strongly aligned with values of customer trust and security will generally have independently audited certifications such as ISO 27001/27018, AICPA SOC 1/2/3, Cloud Security Alliance STAR, PCI, etc.
Small business owners should review and trust these audit reports and not invest resources in conducting their own assessments. Other positive security indicators include security bug bounties, penetration tests, red teams and other third-party scrutiny that indicates that a cloud provider is going beyond the basics and truly committed to providing a hardened service.
2. Harden authentication with strong password management.
Contrary to popular advice, strong passwords are not the end-all to protecting an online account. Using the same password across multiple providers results in far more compromises than simply using weak passwords.
Consider enabling standards-based “SAML” single sign-on (there are cloud providers for this) and turning on two-factor authentication (2FA) wherever supported. Another great investment is a password management tool (e.g. 1Password, LastPass, etc.) that improves user experience while enabling highly complex and unique passwords for every application.
Every formally adopted cloud service needs to have someone who is accountable for managing it as an administrator, monitoring usage and controlling access. Many of the security mistakes we see at Dropbox are employers not revoking access from terminated employees or configuring only a single-administrator account and then having that individual leave. Make sure your de-provisioning processes are robust, and timely and you have backups for all system administrators.
4. Make it safe.
There are many cloud providers that enable business and individual productivity for your business. Those who provide core services such as customer relationship management, financial systems, human resources, payroll, etc. should be closely managed, and adoption of unapproved services needs to be controlled.
Conversely, a much more flexible attitude should be taken for cloud services that enable individual productivity, innovation, collaboration, etc. Your employees can be your best technology innovators, because they are continuously assessing and adopting new services that make them more efficient.
Figure out what these services are -- and wrap security around them. Implement security products that give you monitoring and control capabilities, and sign up for business-class versions of popular services that your employees already use and love. Cracking down by restricting access can have unexpected consequences.
5. Secure your endpoints.
Many intrusions happen, because an individual is tricked to click on a link or run something. Security training is important, but even the most aware individuals can be phished. Implementing a comprehensive suit of security tools on every endpoint is essential to when the inevitable happens, and a bad guy tries to run code on your employees desktops or laptops.
In addition, I would advise that you turn on all available auto-update features for end-user operating systems and applications, and keep installed applications up to date. It is much more difficult for an attacker to compromise your company if everything is patched and up to date. You should measure and reward your teams to apply patches and updates as fast as possible.
This may feel like a lot of advice, but as I said in the beginning, it’s complicated -- very complicated. Based on studying why companies have security compromises, I believe this list is a great starting point to dramatically drive down your company’s risk.