Security incidents in the cloud: Who will be held accountable for corporate data loss?

Your data may move off-site, but does that mean you’re not responsible for it?

At the root of the problem is a certain level of misunderstanding about who is responsible for the protection of cloud services and applications.

If you own or run a business that do not have resources of the enterprise yet, chances are good that your team uses a few cloud services in its daily work. It could be Google Apps for Business, MS Office 365, Dropbox, CRM or an accounting platform, or something else, but it’s rare a team will work completely locally. In fact, 73% of the small businesses we surveyed said they use one or more such services to boost productivity and business efficiency. What’s often lacking: a guarantee that the data in the cloud will not be misused or leaked.

You might think that these aspects of security are cloud providers’ responsibility. Unfortunately, migrating to cloud services will not shift your data protection responsibilities to some third party. Even if your cloud provider promises outstanding data protection mechanisms, your employees can nullify its effectiveness by negligence or by mistake.

At the root of the problem is a certain level of misunderstanding about who is responsible for the protection of cloud services and applications. According to our survey, 59% of small-to-medium businesses think that providers should protect their files on team document sharing sites, 57% say providers are responsible for protection of marketing automation, and 58% figure a third party must secure trading software.

Here’s the truth: Data protection in the cloud is a shared responsibility. Cloud service providers absolutely need to uphold a sufficient level of protection. But that’s no excuse to feel safe by default. You are responsible for access policies. You are responsible for using strong passwords for access to those services. You are responsible for configuration of your services.

Even if your provider claims it will take care of everything and compensate any losses in case of a breach (which is highly improbable, but let’s imagine that it is a real offer), think of what you will tell your clients if their data leaks. Blame the third-party provider? But they entrusted their information to you, and it is you who will lose their trust.

When you hear about data breach incidents, the stories are always about large businesses, not SMBs. Don’t let that give you a false sense of security, though. Consider that the reason you hear about a breach is typically because of its scale — that’s a big part of what makes it newsworthy. Enterprises have more data to lose, but small businesses are no less vulnerable. According to the abovementioned survey, 42% of SMBs have experienced a security incident affecting cloud services.

Want to learn more about results of this survey? Download our report, “Growing businesses safely: cloud adoption vs security concerns” (PDF).