You can be on Entrepreneur’s cover!

When It Comes to Adopting the Cloud, You've Got to Secure Company Data Here are five important tips in tightening small-business cloud security in this threatening online world.

By Patrick Heim

entrepreneur daily

Opinions expressed by Entrepreneur contributors are their own.

Yongyuan Dai | Getty Images

Whether you're starting a new business, or you have an established small- to medium-sized business, entrepreneurs today have a unique challenge as well as an opportunity when it comes to adopting the cloud. Before there was a wide array of cloud providers serving almost every business need, organizations regardless of size had to maintain IT departments or consultants and extensive physical infrastructure to run their businesses.

Related: Why Cloud Storage Provider Box Had a Killer Quarter

But the hidden downside to this approach wasn't just long-term cost -- it was security.

Securing your systems and data in today's threatening environment is complicated -- very complicated. It requires technical specialists and a complicated array of ever-changing security products. Monitoring, maintenance, policies, upgrades, patches, etc. are all hidden costs of maintaining your own IT infrastructure.

Even if a company has the financial resources, finding and retaining the skilled technical security talent necessary to succeed is exceedingly difficult. The number of skilled people haven't scaled with the demand. Unfortunately, in the "run your own IT" model, all forces are stacked against SMBs succeeding in being able to secure their systems.

As the founder, how do you ensure all systems are secure? Not surprisingly, cloud companies help bend the economics of security. Organizations like Dropbox, Google, Microsoft, Salesforce, etc. all have amazing resources to secure their environments. Not only can they attract and retain the best and brightest by offering unique challenges at a massive scale, they also have the resources to build out comprehensive teams.

A good portion of security responsibilities is transferred to cloud providers. From a customer perspective, there are also no hidden costs. Security is something that is baked into a highly predictable subscription fee.

So let's assume that you embrace the cloud like many small companies already have. The question is: "How do I make it secure?" Here's some practical advice.

1. Choose wisely.

Although cloud services have the potential for being considerably more secure than on-premise solutions, not all are created equal. Test the commitment of the cloud provider to security by reviewing which certifications they have. A cloud provider that's strongly aligned with values of customer trust and security will generally have independently audited certifications such as ISO 27001/27018, AICPA SOC 1/2/3, Cloud Security Alliance STAR, PCI, etc.

Related: How Network Segmentation Can Help Entrepreneurs Manage Ransomware Risks

Small business owners should review and trust these audit reports and not invest resources in conducting their own assessments. Other positive security indicators include security bug bounties, penetration tests, red teams and other third-party scrutiny that indicates that a cloud provider is going beyond the basics and truly committed to providing a hardened service.

2. Harden authentication with strong password management.

Contrary to popular advice, strong passwords are not the end-all to protecting an online account. Using the same password across multiple providers results in far more compromises than simply using weak passwords.

Consider enabling standards-based "SAML" single sign-on (there are cloud providers for this) and turning on two-factor authentication (2FA) wherever supported. Another great investment is a password management tool (e.g. 1Password, LastPass, etc.) that improves user experience while enabling highly complex and unique passwords for every application.

3. Accountability

Every formally adopted cloud service needs to have someone who is accountable for managing it as an administrator, monitoring usage and controlling access. Many of the security mistakes we see at Dropbox are employers not revoking access from terminated employees or configuring only a single-administrator account and then having that individual leave. Make sure your de-provisioning processes are robust, and timely and you have backups for all system administrators.

4. Make it safe.

There are many cloud providers that enable business and individual productivity for your business. Those who provide core services such as customer relationship management, financial systems, human resources, payroll, etc. should be closely managed, and adoption of unapproved services needs to be controlled.

Conversely, a much more flexible attitude should be taken for cloud services that enable individual productivity, innovation, collaboration, etc. Your employees can be your best technology innovators, because they are continuously assessing and adopting new services that make them more efficient.

Figure out what these services are -- and wrap security around them. Implement security products that give you monitoring and control capabilities, and sign up for business-class versions of popular services that your employees already use and love. Cracking down by restricting access can have unexpected consequences.

5. Secure your endpoints.

Many intrusions happen, because an individual is tricked to click on a link or run something. Security training is important, but even the most aware individuals can be phished. Implementing a comprehensive suit of security tools on every endpoint is essential to when the inevitable happens, and a bad guy tries to run code on your employees desktops or laptops.

In addition, I would advise that you turn on all available auto-update features for end-user operating systems and applications, and keep installed applications up to date. It is much more difficult for an attacker to compromise your company if everything is patched and up to date. You should measure and reward your teams to apply patches and updates as fast as possible.

This may feel like a lot of advice, but as I said in the beginning, it's complicated -- very complicated. Based on studying why companies have security compromises, I believe this list is a great starting point to dramatically drive down your company's risk.

Related: Dell's Cyber Security Unit Secureworks Valued at Up to $1.42 Billion in IPO

Patrick Heim

Head of trust and security at Dropbox

Patrick Heim is the head of trust and security at Dropbox, where he manages security and compliance for both the company and its service. He joined Dropbox in January of 2015 with over 20 years of information security and technology experience. Previously, he served as chief trust officer at, where he built and ran a world-class security team that contributed to making Salesforce one of the most trusted enterprise cloud vendors. Patrick also held chief information security officer positions at Kaiser Permanente and McKesson Corporation and senior positions at Ernst & Young and two early-stage security technology companies. Patrick advises security startups and serves on the board of directors at Cylance.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business News

A Non-Profit Newspaper Published a Column Criticizing Facebook. Then Meta Blocked All of Its Posts.

Facebook's communications chief said that the posts were removed because of "a mistaken security issue."

Business News

Elon Musk Reveals When Tesla Will Release Its First Robotaxi

Tesla's CEO says the fully autonomous Tesla taxi is arriving soon — in 122 days.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

Walmart Shoppers May Be Eligible for $500 After Settlement

Walmart shoppers who purchased weighted goods or bagged citrus in the U.S. or Puerto Rico from late 2018 through early 2024 might be eligible for a share of a $45 million settlement.

Business News

Total Solar Eclipse 2024 Live Feed: Where, When and How to Watch the 2024 Eclipse

Here's what to know about the total eclipse 2024 and a live stream from NASA.

Business News

OpenAI Reportedly Used More Than a Million Hours of YouTube Videos to Train Its Latest AI Model

YouTube CEO Neal Mohan said last week that if OpenAI used YouTube videos to train text-to-video generator Sora, that would be a "clear violation" of the terms of use.