When It Comes to Adopting the Cloud, You've Got to Secure Company Data

Here are five important tips in tightening small-business cloud security in this threatening online world.

learn more about Patrick Heim

By Patrick Heim

Yongyuan Dai | Getty Images

Opinions expressed by Entrepreneur contributors are their own.

Whether you're starting a new business, or you have an established small- to medium-sized business, entrepreneurs today have a unique challenge as well as an opportunity when it comes to adopting the cloud. Before there was a wide array of cloud providers serving almost every business need, organizations regardless of size had to maintain IT departments or consultants and extensive physical infrastructure to run their businesses.

Related: Why Cloud Storage Provider Box Had a Killer Quarter

But the hidden downside to this approach wasn't just long-term cost -- it was security.

Securing your systems and data in today's threatening environment is complicated -- very complicated. It requires technical specialists and a complicated array of ever-changing security products. Monitoring, maintenance, policies, upgrades, patches, etc. are all hidden costs of maintaining your own IT infrastructure.

Even if a company has the financial resources, finding and retaining the skilled technical security talent necessary to succeed is exceedingly difficult. The number of skilled people haven't scaled with the demand. Unfortunately, in the "run your own IT" model, all forces are stacked against SMBs succeeding in being able to secure their systems.

As the founder, how do you ensure all systems are secure? Not surprisingly, cloud companies help bend the economics of security. Organizations like Dropbox, Google, Microsoft, Salesforce, etc. all have amazing resources to secure their environments. Not only can they attract and retain the best and brightest by offering unique challenges at a massive scale, they also have the resources to build out comprehensive teams.

A good portion of security responsibilities is transferred to cloud providers. From a customer perspective, there are also no hidden costs. Security is something that is baked into a highly predictable subscription fee.

So let's assume that you embrace the cloud like many small companies already have. The question is: "How do I make it secure?" Here's some practical advice.

1. Choose wisely.

Although cloud services have the potential for being considerably more secure than on-premise solutions, not all are created equal. Test the commitment of the cloud provider to security by reviewing which certifications they have. A cloud provider that's strongly aligned with values of customer trust and security will generally have independently audited certifications such as ISO 27001/27018, AICPA SOC 1/2/3, Cloud Security Alliance STAR, PCI, etc.

Related: How Network Segmentation Can Help Entrepreneurs Manage Ransomware Risks

Small business owners should review and trust these audit reports and not invest resources in conducting their own assessments. Other positive security indicators include security bug bounties, penetration tests, red teams and other third-party scrutiny that indicates that a cloud provider is going beyond the basics and truly committed to providing a hardened service.

2. Harden authentication with strong password management.

Contrary to popular advice, strong passwords are not the end-all to protecting an online account. Using the same password across multiple providers results in far more compromises than simply using weak passwords.

Consider enabling standards-based "SAML" single sign-on (there are cloud providers for this) and turning on two-factor authentication (2FA) wherever supported. Another great investment is a password management tool (e.g. 1Password, LastPass, etc.) that improves user experience while enabling highly complex and unique passwords for every application.

3. Accountability

Every formally adopted cloud service needs to have someone who is accountable for managing it as an administrator, monitoring usage and controlling access. Many of the security mistakes we see at Dropbox are employers not revoking access from terminated employees or configuring only a single-administrator account and then having that individual leave. Make sure your de-provisioning processes are robust, and timely and you have backups for all system administrators.

4. Make it safe.

There are many cloud providers that enable business and individual productivity for your business. Those who provide core services such as customer relationship management, financial systems, human resources, payroll, etc. should be closely managed, and adoption of unapproved services needs to be controlled.

Conversely, a much more flexible attitude should be taken for cloud services that enable individual productivity, innovation, collaboration, etc. Your employees can be your best technology innovators, because they are continuously assessing and adopting new services that make them more efficient.

Figure out what these services are -- and wrap security around them. Implement security products that give you monitoring and control capabilities, and sign up for business-class versions of popular services that your employees already use and love. Cracking down by restricting access can have unexpected consequences.

5. Secure your endpoints.

Many intrusions happen, because an individual is tricked to click on a link or run something. Security training is important, but even the most aware individuals can be phished. Implementing a comprehensive suit of security tools on every endpoint is essential to when the inevitable happens, and a bad guy tries to run code on your employees desktops or laptops.

In addition, I would advise that you turn on all available auto-update features for end-user operating systems and applications, and keep installed applications up to date. It is much more difficult for an attacker to compromise your company if everything is patched and up to date. You should measure and reward your teams to apply patches and updates as fast as possible.

This may feel like a lot of advice, but as I said in the beginning, it's complicated -- very complicated. Based on studying why companies have security compromises, I believe this list is a great starting point to dramatically drive down your company's risk.

Related: Dell's Cyber Security Unit Secureworks Valued at Up to $1.42 Billion in IPO

Patrick Heim

Head of trust and security at Dropbox

Patrick Heim is the head of trust and security at Dropbox, where he manages security and compliance for both the company and its service. He joined Dropbox in January of 2015 with over 20 years of information security and technology experience. Previously, he served as chief trust officer at Salesforce.com, where he built and ran a world-class security team that contributed to making Salesforce one of the most trusted enterprise cloud vendors. Patrick also held chief information security officer positions at Kaiser Permanente and McKesson Corporation and senior positions at Ernst & Young and two early-stage security technology companies. Patrick advises security startups and serves on the board of directors at Cylance.

Related Topics

Editor's Pick

Everyone Wants to Get Close to Their Favorite Artist. Here's the Technology Making It a Reality — But Better.
The Highest-Paid, Highest-Profile People in Every Field Know This Communication Strategy
After Early Rejection From Publishers, This Author Self-Published Her Book and Sold More Than 500,000 Copies. Here's How She Did It.
Having Trouble Speaking Up in Meetings? Try This Strategy.
He Names Brands for Amazon, Meta and Forever 21, and Says This Is the Big Blank Space in the Naming Game
Business News

These Are the Most and Least Affordable Places to Retire in The U.S.

The Northeast and West Coast are the least affordable, while areas in the Mountain State region tend to be ideal for retirees on a budget.

Business Solutions

This Comprehensive Microsoft Excel Course Can Turn You into a Whiz for $10

Master Microsoft Excel for less than the cost of your lunch with this top-rated course.

Thought Leaders

The Collapse of Credit Suisse: A Cautionary Tale of Resistance to Hybrid Work

This cautionary tale serves as a reminder for business leaders to adapt to the changing world of work and prioritize their workforce's needs and preferences.

Business News

I Live on a Cruise Ship for Half of the Year. Look Inside My 336-Square-Foot Cabin with Wraparound Balcony.

I live on a cruise ship with my husband, who works on it, for six months out of the year. Life at "home" can be tight. Here's what it's really like living on a cruise ship.


6 Secret Tools for Flying First Class (Without Paying Full Price)

It's time to reimagine upgrading. Here's how to fly first class on every flight, business or personal.

Business News

Meta Employees Interrogate Mark Zuckerberg in Town Hall Meeting

The CEO fielded tough questions from rattled staffers at an all-hands meeting.