Even With Cloud Storage Cyber Risk Still Exists

Think you’re not at risk of a cyberattack because you store your data in the cloud? Think again. No matter where you maintain your data, you’re at risk. Monique Ferraro from HSB explains why:

Your head is in the clouds if you think storing data in the cloud protects you from data breach and risk of cyberattacks.

Many business owners believe they can transfer cyber risk, like data breach or cyberattack, by moving data to the cloud or hiring a vendor such as a payroll processor. However, storing information in the cloud doesn’t eliminate significant exposures to small businesses.

Data Breach

Every business processes and stores personal information. Even if that personal information only relates to job applicants and employees, it’s still personal. Most businesses store and process a broad range of personal information, such as customer names together with credit card or Social Security numbers. In many states, it is the duty of the data owner, not the cloud provider, to notify affected individuals, and that can be quite expensive. Businesses can also hold proprietary information, trade secrets, and intellectual property that require protection.

State data breach definitions and requirements differ, so determining the right course of action following a data breach usually requires expert legal and forensic information technology advice. 

According to the Ponemon Institute’s most recent survey sponsored by IBM, misconfigured cloud servers tied for the most frequent cause of a data breach, rising 14% year over year. The report put the total average cost of a breach at $3.86 million.

Of course, the cost to remediate a breach of a small business is nowhere near that of a large enterprise. However, there are minimum costs associated with a suspected breach that are usually not anticipated or budgeted for. A typical breach response involves:

• Consultation with breach counsel
• Retaining a forensic information technology expert to investigate, remediate, and possibly restore data
• Notification of affected individuals
• Possibly a specialist in crisis communications. 

In the event of a government investigation or lawsuit by an affected individual, there are costs associated with retaining defense counsel, other litigation costs, and settlement or verdict expenses. If there is a breach of payment card information, there are costs associated with hiring an investigator, PCI assessments, and penalties. 

Sources:

At least half of states require the owner or licensor of personal information to notify affected individuals, not the entity maintaining the information. The maintainer is obligated to notify the owner or licensor of the data and the owner or licensor of the data is required to notify affected individuals. Connecticut requires the owner/licensee of personal information to provide two years of identity theft monitoring or remediation services to affected individuals in the event of a breach of a Social Security number, even if the third-party vendor/maintainer of information was responsible for the breach.

2020 Ponemon Cost of Data Breach Study, Sponsored by IBM.

Id.