For the past two years, we have attended the AICPA Practitioners Conference in Las Vegas. We go to meet new service providers and watch the tends in the accounting profession in the United States. Our experience to date suggests the accounting profession in Canada often lags two to five years behind our American counterparts.
In 2017, the hot topic was cybersecurity. We met many leaders from mid-size firms who had invested in a full-time internal cybersecurity senior position. These firms were not merely incurring costs to ensure the internal firm risks were being addressed, they were also creating new advisory services for clients in the space of cybersecurity.
Back home in Canada, the discussion around cybersecurity is limited. The model we typically see is firms outsourcing to various IT providers, and becoming reliant on the security systems those third-party providers have in place.
As cybersecurity gains traction in Canada, likely on the heels of increasing security breaches, we want to be in a position to provide resources, support and guidance to the firms we work with. One of the most common questions we are asked is the risks associated with cloud storage services.
We recently had the opportunity to meet with Christian Redshaw and Dominic Vogel, the founders of cybersecurity company CyberSC. With over a decade of experience in the accounting profession we believe they are in a good position to assist firms with security needs now and in the future.
We sat down with Dominic to explore a few questions related to the usage and related risks of cloud storage services. We hope you find some value in this article and encourage you to visit https://www.cyber.sc/ for additional resources.
Clearline Consulting: Which cloud storage providers would you recommend?
CyberSC: Choosing which reputable cloud storage provider to use is less important than understanding how to securely store your data in the cloud.
Some of the more established and reputable providers of cloud storage are:
- Drop Box
- Google Drive
- Microsoft One Drive
- Amazon Drive
All of these vendors have good security measures in place so, ultimately, it doesn’t matter which of these providers you choose. What matters most is how you configure them so that you’re using your cloud storage securely.
Clearline Consulting: Is the location of the storage providers’ servers a critical consideration? The accounting profession refers to the risks under the Patriots Act in the United States often.
CyberSC: At this point in time, all personal health information must be stored in Canada (Personal Health Number, Medical Records, Dental Records, etc.). Other types of data are permitted to be stored on servers outside of Canada but you may have some contractual requirements stating otherwise. It is important to review your contracts very carefully to understanding what your contractual obligations are.
Clearline Consulting: What are the underlying risks of online data storage?
CyberSC: While important, cloud storage is only one aspect of information security. In order to keep your critical data secure, you need to take good care of each of the following cyber security categories: people, processes and technology.
From there, you must be aware of the risks you face when you choose to store any data in the cloud.
The top four inherent risks in cloud storage are:
- Risk of unauthorized access to your sensitive business data.
- Legal, contractual and compliance risks such has health care information which can’t be stored outside of Canada.
- Cloud storage vendor security risks in that the vendor might not have the proper security controls in place.
- Availability (down time) risks if the platform goes down and you can’t access your files.
Clearline Consulting: How should a firm start in addressing each of these risks?
CyberSC: Firstly, make sure you take the time to go through the access controls provided by the cloud provider to ensure that they mirror the internal access permissions within your company. You can take security a step further by encrypting your files before you store them in the cloud so they’re not being sent as raw data.
To securely encrypt files, you have to first select your encryption tool. Two reputable and effective file encryption options are: ‘VeraCrypt’ and ‘7-Zip.’ The next step is to identify what data needs to be encrypted and, finally, to make sure that the people needing to view your encrypted files know how to access the data.
Secondly, understand what categories of critical data you have and which files you can store on the cloud. The cloud server providers you can use will be more restricted depending on your legal, contractual and regulatory compliance obligations.
If you are looking to store your data on Canadian servers, there are a couple of options. Firstly, for a purely Canadian solution, you can use sync.com. Alternatively, the larger providers like Amazon and Microsoft offer Canadian-only storage capabilities. Contact that provider and specify that you require Canadian-only storage.
Thirdly, if you are considering smaller cloud service providers, take time to do your due diligence on your chosen provider, either internally, or through a trusted third-party expert.
Fourthly, familiarize yourself with your Service Level Agreements with your provider. If the cloud provider can provide up-time (when everything is live and working well) to your required level, chances are they can do a better job than what you could achieve in-house. Find out what percentage of up-time they are committed to and what happens when there is downtime (i.e. do you get money back?).
As you consider your cloud storage options, be sure to choose a reputable provider, understand the risks you face and take the steps outlined above to address those risks.
Cyber SC provides affordable, externally managed cyber security leadership to ensure that your company, your people, your network, your processes and the products you develop, are secured to industry standards against cyber-attacks. Partnering with CyberSC means you will:
- Minimize your exposure to costly cyber-attacks.
- Help your directors, officers and senior leaders fulfill their fiduciary duties to provide thoughtful, well-planned cyber security oversight.
- Have a compelling brand narrative which provides a more solid legal and regulatory defense in the event of litigation after a cyber-attack.