When computer systems connect to each other via the internet, the threat of espionage, sabotage and extortion is a realistic scenario for businesses and governments. Every computer system can be hacked and if you're in charge of security, you need to know what is required of a system made to support the core function of the business and help you in emergency situations.
Unless you are the first security manager I’ve met who wants your contingency plans to be broadcasted in online newspapers. You’ll have to carefully select providers and systems which are resilient and serious about data security.
Working in the cloud
Online based software and cloud services have many benefits and some are more apparent than others:
- Lower costs. You share the cost of hardware, storage, software and infrastructure.
- Reduced dependence of ICT resources in your own organisation- easier to access important functions 24 hours a day.
- Cost efficient storage of large amounts of data.
- Flexibility- customised for specific needs.
- Lower risk and higher security. Many suppliers have complete control of your information. They meet requirements for security and preparedness, and they have well-established procedures and routines for handling your data. They can offer the same or even higher levels of security than both big and small companies can manage on their own.
However, it is not easy to choose a supplier of cloud services for security and preparedness. Many criteria must be met; here are some that may create concern:
- Who has access to your information?
- What kind of information have you stored?
- Where (in the world) is your data stored, and which laws regulate the access to your data.?
- Are backups subject to the same security?
- Can you access the information when you need it?
- How does your supplier comply with data protection legislation?
Who cares about data security?
As a supplier of secure services in our field of expertise, I often receive documents with specific requirements. It could be up to 600 questions on how our organisation is prepared to safeguard the security around the services we offer. I am truly impressed with how prepared some of our clients are. But what surprises me the most, is the number of clients that doesn’t ask any questions and can’t even answer when we ask: who, what, where and how.
Before you decide on a supplier for your ICT based cloud services, I recommend you do a thorough evaluation of the providers based on these steps:
- Do a risk analysis according to data protection legislation.
- Enter a data processing agreement with the supplier.
- Clarify if it is legal and acceptable according to the supplier’s guidelines to store data abroad.
- Get a picture of the company culture regarding the handling of sensitive and secure information. Do they continually work with security? Is it a company with experience in this field? Ask to see a certificate, or some other form of documentation, that shows their business is compatible with ISO 27001- information security management.
- If the supplier is developing the software themselves, you should make sure security is a factor throughout the development process. Ask also for documentation for implementation and monitoring of penetration- and security testing. This is a good indicator of the supplier’s professionalism.
It’s all about how resilient to safety threats the supplier of solutions for security, preparedness and crisis management is. In case everything should go wrong, make sure your supplier can offer a backup solution.