Moving to the cloud has many benefits for companies including improved data security, real-time updated information and accessibility for team members. If you’ve recently outsourced your technology systems and data to the cloud and have been incident free since the migration, you’re probably “all set”, right? Before you say yes, let’s go over a few things that you should do at a bare minimum to reduce your risk when outsourcing software systems or technology.
Five ways to minimize risk when outsourcing technology
- Seek Expert Advice – Hire a firm that specializes in cybersecurity. It can go a long way toward allowing you to sleep at night. Request an assessment of your cybersecurity risks and exposures, and seek their recommendations. This won’t be a wasted investment as you can end up saving money down the line by preventing cybersecurity incidents from happening that could cost you much more.
- Verify First, Trust Later – Make sure your provider has strong security in layers, and does not just rely on recoverability measures alone. Prioritize vendors who have undergone an independent audit of their security controls. A SSAE16 / SOC-2 review is the most common example. If none exist, include a right-to-audit clause in the contract, and keep an open dialogue about incidents. You may not have witnessed any security incidents (that’s a good thing and a sign of a good service provider), but that doesn’t mean they aren’t occurring.
- Patch Your Employees – Employees are the shortest path to a data breach and in many cases, have the ability to circumvent security controls. There’s a huge void in employee awareness of cybersecurity and this is a reason why they are frequently targeted. Policies are often dry or nonexistent and employee practices are lax as a result. Employees incidentally or naïvely risk security all the time. The majority of large data breaches over the years have stemmed from an employee deviating from normal practices, such as clicking on obvious phishing emails, sending a sensitive report unencrypted in an email, storing sensitive information on laptops or mobile devices and using flash drives and removable storage for convenience. Make sure your employees are aware of cybersecurity risks, and hold them accountable for their role.
- Know the Line, Don’t Toe the Line – If you presume that you are no longer responsible for cybersecurity when you work with a third party vendor for systems or services, you are asking for trouble. Your responsibility doesn’t stop with a service contract. It just doesn’t. Data breach laws are prevalent, with nearly every state having a version. Most laws require less of service providers than the businesses they serve who actually own the confidential data. Know your responsibilities, and make sure you cover any gaps.
- Share the Risk – Make sure you have a solid, basic cyber insurance policy. If you don’t have one, get one. Be honest in the assessment of your security posture. Make sure at a minimum you have a policy substantial enough to cover credit monitoring services for your customers (if required by law) assuming a modest breach, and to cover an aggressive short term decline in incremental sales immediately following any public announcement. Understand the product and engage in an honest dialogue with the insurance provider. You won’t regret it.
You are undoubtedly much better off moving your systems and data to a trusted cloud provider than maintaining everything in house, with the entire burden-to-protect on your shoulders. But, make sure you don’t assume that shared burden is the same as shared responsibility. Implementing the 5 tips above will help you and your company mitigate risks that can be associated with IT and systems outsourcing.