The cloud has gotten a bad name as being a data-security risk inand of itself, but smaller companies in particular may actually beable to increase overall security by moving data to a cloudprovider that has a robust security framework in place, an expertsays.

Speaking during a Marsh webcast titled, Cyber Risk: Trends andSolutions, Jason Straight, managing director, Kroll AdvisorySolutions, said third-party breaches are becoming increasinglycommon as businesses rely on outside vendors to manage and hostdata. But he stressed that the key to minimizing the chances ofsuch breaches is to take the time to get to know the vendorsthemselves. “Visit them,” he said, and evaluate the securitymeasures they have in place. “If you don't have qualified staffin-house, then hire someone who can help you do that,” Straightadded.

If a vendor is not forthcoming about its security efforts,Straight said that should be a red flag. Ultimately, he noted, the“reputation and risk is yours to bear,” so it makes sense to “rollup your sleeves and look under the hood” when consideringvendors.

For smaller companies that perform their due diligence, using acloud provider could actually be beneficial to security efforts, hesaid, as the vendor might be able to devote moreresources and expertise to protecting data than the company itselfcan.

The threat of a cyber attack on small and medium-sizedbusinesses is very real, according to the experts who spoke duringthe webinar. Straight noted that cyber attacks have gone through adramatic evolution since 2005, and small and medium-sizedbusinesses may now be targeted as a means to transit to businesspartners' systems. Today, he noted, “it's not just about securingyourself.” Businesses need to look not just at what is getting intotheir networks, but what is getting out as well.

Bob Parisi, Marsh's network security practice leader, saysmidsize companies are attacked just as often as large ones, and theimpact can be more debilitating. “It can knock a company completelyout of the box,” he said during the webinar.

Straight added that while there is some correlation between thesize of the company and the risk of a cyber attack, it really comesdown to other factors, such as the volume of sensitive informationa business collects, or if the company has a public-facing websitethat will cause a major disruption to business if it goes down.

Insurance protection has evolved along with cyber threats,and Parisi said small and midsize companies today are able to takeadvantage of cyber-insurance coverages that were not availablejust a few years ago. These companies, he said, “don't have tosettle for less than robust coverage” anymore.

Beyond insurance coverage, Straight outlined the importance ofhaving a comprehensive incident-response plan. Companies must beable to manage the panic that will ensue after a breach and makegood decisions, he said. “The scarcest resource in the event of abreach is time,” he said, noting that regulations and statutes havetimelines, and company executives may be demanding answers. Apractical plan, he said, can save time.

He also said companies should try to avoid common missteps suchas using the word “breach” too soon (Straight noted that a companymight use this word when malware is detected before it is clear ifany information has actually been exposed), and rushing to notifystakeholders before the full scope of a breach is determined (thecompany has already suffered damage to its credibility, he said,and constantly going back and revising information will only makethings worse).