Small businesses remain widely confident in their cloud storage provider’s security, but many businesses are leaving sensitive data at risk by neglecting industry regulations and other additional security measures, according to our new data.

Is your cloud storage provider secure?

More small businesses are turning toward the cloud to store their data. Cloud storage providers offer significant benefits for small businesses, including greater data mobility, cost savings, and stronger security – as long as the business uses the service properly.

Small businesses should keep cloud storage security in mind. A cloud storage security breach can be a death sentence for small businesses, especially if the breach involves sensitive customer information.

What is the current state of small business cloud storage security? What can a small business do to protect the data stored with their cloud storage providers?

We surveyed 300 U.S. small businesses with 1-500 employees to better understand cloud storage security and to provide actionable advice for small businesses seeking to protect their data in the cloud.

Our Findings Ninety percent (90%) of small businesses say their cloud is secure, a small increase from 2016.

Over half of small businesses use encryption (60%), employee training (58%), or two-factor authentication (53%) to secure their cloud storage, though these numbers should be higher.

Over 60% of small businesses storing customer credit card and banking information in their cloud storage say they do not follow industry regulations – an alarming statistic.

Compared to 2016, less businesses storing customer credit card/banking information and medical data are using free cloud storage, a positive trend.

Confidence in Cloud Storage Security is High Among Small Businesses

Small businesses remain confident in their cloud storage provider’s security, with 90% of small businesses ranking their cloud storage as “very” or “somewhat” secure.

This is a small, 3% increase from 2016 when 87% of small businesses described their cloud storage as “very” or “somewhat” secure.

However, confidence in cloud storage security is misplaced if the small business thinks that cloud storage providers alone can fully protect their data. Cloud storage security requires involvement from both the provider and the user.

Basic additional security measures, such as encryption and two-factor authentication, should be implemented by most, if not all, small businesses, even if they have confidence in their cloud storage provider’s security.

Businesses Need Additional Cloud Storage Security Measures

Over half of small businesses use encryption (60%), employee training (58%), and two-factor authentication (53%) to help secure their cloud storage providers. However, almost all small businesses should be using these security measures to protect their cloud storage.

Security flaws are often the result of human error, given that people may resort to the easiest behavior to get a task done. However, the easiest behavior may not be the most secure behavior.

For example, even though many companies have password policies that require employees to choose complex passwords and update them regularly, this policy can become a security nightmare, according to Ghazanfar Ghori, CTO of 10Pearls, a software and mobile app development agency.

Employees often don’t want to memorize a new and complex password every few weeks.

“People will write [the new password] down on a sticky note instead and stick it on their locker,” which is a security hazard, said Ghori.

The more businesses simplify security, the more likely their employees will actually follow proper security practices.

“You can yell and tell and try to enforce a policy, but at the end of the day, people will find their way around it,” said Ghori. “Creating better user experiences for employees will actually lead to better adoption of security policies.”

Essentially, your business’s security policy should require the least possible involvement from your employees, while still maintaining high levels of security, to minimize error.

Ghori recommends two-factor authentication as an easy, yet secure method for protecting data.

Two-factor authentication requires employees to enter a security code sent to either their phone or email inbox to access their cloud storage. The code means that a hacker must have both the cloud storage login and a separate individual login to breach security.

Once employees turn on two-factor authentication, they cannot easily compromise the security.

Industry Regulations Are Necessary But Often Forgotten by Small Businesses

Industry regulations exist for many types of data stored in the cloud, but small businesses often do not follow them.

We asked small businesses who indicated that they follow industry regulations if they follow any of three, well-known options:

International Organization for Standardization’s (ISO) regulation for protecting data in the cloud

Payment Card Industry Data Security Standard (PCI DSS)

Health Insurance Portability and Accountability Act (HIPAA)

Of those three choices, the most widely followed regulation is ISO.

Istvan Lam, CEO of Tresorit, an end-to-end encrypted cloud storage provider for businesses, spoke of the importance of ISO’s 27000 family of standards.

“I think the [ISO] standard can be a good way to protect information inside the organization,” said Lam. “Even if someone is not necessarily going to be audited for the standard, it’s a good practice to follow.”

ISO’s standards offer a broad, but important, set of requirements for protecting data in the cloud.

Small Businesses Aren’t Using Regulations to Protect Medical, Banking Data

Regulations exist for protecting both credit card/banking information and medical data in the cloud, and businesses are expected, if not required, to follow them.

However, we found that 62% of small businesses storing customer credit card and banking information on cloud storage say they do not follow industry regulations to secure their cloud storage.

Over half of small businesses (54%) storing medical data on cloud storage say they do not follow industry regulations to secure their cloud storage.

Payment Card Industry Data Security Standard (PCI DSS)

The world’s major credit card brands, including Visa, MasterCard, and Discover, formed the Payment Card Industry Security Standards Council in the early 2000s and created the Data Security Standard (PCI DSS) to keep credit card and banking information secure.

Businesses that store data from the major credit card brands but are not compliant with PCI DSS can face fines of up to $100,000/month.

Be sure to read up on PCI DSS’s standards for small businesses.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive medical data stored online.

HIPAA is a law signed by President Bill Clinton in 1996. Violating HIPAA carries serious consequences, as Lam of Tresorit describes.

“Recently, a hospital worker lost a laptop with 700 potential medical records,” said Lam. “If you think about it, 700 medical records is not much if you work on a daily basis with patients… but that laptop was lost and the hospital couldn’t prove if the laptop was encrypted or not. They got fined $3.5 million. A small breach like that can cost a fortune.”

Small businesses that store medical data in cloud storage must ensure they understand and follow HIPAA’s standards.

Sometimes, a security breach happens even if a company does everything it can to protect its data in the cloud. However, by following all mandated industry regulations, a small business can more easily protect the integrity of its company.

“Standards give you the ability to protect yourself from a liability standpoint, saying ‘I followed all the standards that were mandated. I still got hacked.’ And you shrug it off,” said Ghori.

By following all regulations properly, a business can overcome a security breach more easily.

Less Businesses Storing Sensitive Data on Free Cloud Storage

Less businesses are using free cloud storage to store sensitive data in the cloud – a positive change in small business cloud storage security.

Last year, 14% of small businesses using free cloud storage stored customer credit card and banking information, while 11% of small businesses using free cloud storage stored medical data.

This year, only 7% of small businesses using free cloud storage store credit card and banking information, and 6% store medical data.

Simply using paid cloud storage, without additional security measures and training, will not fully protect your data.

However, paid cloud storage is the basic level of cloud storage that should almost always be used when storing sensitive data. Free cloud storage services do not typically offer the level of support and security needed to protect sensitive data.

What Should Small Businesses do to Protect Cloud Storage Data?

Small businesses should embrace cloud storage instead of rejecting it due to fear of security risks.

Cloud storage offers a plethora of benefits for small businesses and may offer stronger security than an on-premise solution, as long as businesses implement cloud storage security properly.

Lam of Tresorit said that cloud storage can often simplify security for small businesses with limited resources.

“The integrated security features that come with cloud storage [are valuable], like two-factor authentication being offered out-of-the-box,” said Lam. “How would a small business set that up for their employees with their on-premise system?”

Small businesses need to follow several key steps for securing their cloud storage.

Patrick R., Head of Strategy at Intuz, a mobile app development and cloud solutions company, offers two recommendations for securing your cloud storage:

“Implement a strong encryption plan. We can implement client side or server side encryption for data stored in the cloud.”

Encryption is important because it does not require employee effort once implemented.

“Encryption provides security to data at all times,” said Patrick. “Encryption works during data transport or at rest, making it an ideal solution no matter where data is stored or how it is used.”

“Provide limited access. Define set rules for who can access data in the cloud.”

Every extra person who can access the data on your cloud storage increases the risk of a security breach.

These two easy-to-implement steps, as well as other critical security practices, such as enabling two-factor authentication and following industry regulations, ensure that your small business can safely store data in the cloud.

Small Businesses: Implement Additional Security Measures & Follow Regulations

Small businesses remain confident in cloud storage security. Yet, small businesses cannot let that confidence stop them from implementing additional security measures and following industry regulations.

Additional security measures, such as encryption, employee training, and two-factor authentication, protect data in cloud storage against security breaches and employee error.

Industry regulations also protect cloud storage providers from breaches and error. Some are mandated by law or third-party organizations, and small businesses can face steep fines for neglecting them.

While cloud storage offers enormous benefits in cost savings, data portability, and security, small businesses should ensure they implement proper security measures and follow necessary regulations to protect their data in the cloud.