Small Companies: Do Your Due Diligence, But Don’t Fear the Cloud

The cloud has gotten a bad name as being a data-security risk in and of itself, but smaller companies in particular may actually be able to increase overall security by moving data to a cloud provider that has a robust security framework in place, an expert says.

Speaking during a Marsh webcast titled, Cyber Risk: Trends and Solutions, Jason Straight, managing director, Kroll Advisory Solutions, said third-party breaches are becoming increasingly common as businesses rely on outside vendors to manage and host data. But he stressed that the key to minimizing the chances of such breaches is to take the time to get to know the vendors themselves. “Visit them,” he said, and evaluate the security measures they have in place. “If you don't have qualified staff in-house, then hire someone who can help you do that,” Straight added.

If a vendor is not forthcoming about its security efforts, Straight said that should be a red flag. Ultimately, he noted, the “reputation and risk is yours to bear,” so it makes sense to “roll up your sleeves and look under the hood” when considering vendors.

For smaller companies that perform their due diligence, using a cloud provider could actually be beneficial to security efforts, he said, as the vendor might be able to devote more resources and expertise to protecting data than the company itself can.

The threat of a cyber attack on small and medium-sized businesses is very real, according to the experts who spoke during the webinar. Straight noted that cyber attacks have gone through a dramatic evolution since 2005, and small and medium-sized businesses may now be targeted as a means to transit to business partners' systems. Today, he noted, “it's not just about securing yourself.” Businesses need to look not just at what is getting into their networks, but what is getting out as well.

Bob Parisi, Marsh's network security practice leader, says midsize companies are attacked just as often as large ones, and the impact can be more debilitating. “It can knock a company completely out of the box,” he said during the webinar.

Straight added that while there is some correlation between the size of the company and the risk of a cyber attack, it really comes down to other factors, such as the volume of sensitive information a business collects, or if the company has a public-facing website that will cause a major disruption to business if it goes down.

Insurance protection has evolved along with cyber threats, and Parisi said small and midsize companies today are able to take advantage of cyber-insurance coverages that were not available just a few years ago. These companies, he said, “don't have to settle for less than robust coverage” anymore.

Beyond insurance coverage, Straight outlined the importance of having a comprehensive incident-response plan. Companies must be able to manage the panic that will ensue after a breach and make good decisions, he said. “The scarcest resource in the event of a breach is time,” he said, noting that regulations and statutes have timelines, and company executives may be demanding answers. A practical plan, he said, can save time.

He also said companies should try to avoid common missteps such as using the word “breach” too soon (Straight noted that a company might use this word when malware is detected before it is clear if any information has actually been exposed), and rushing to notify stakeholders before the full scope of a breach is determined (the company has already suffered damage to its credibility, he said, and constantly going back and revising information will only make things worse).