In this guest post, Kevin Kerridge, Director for Hiscox Small Business Insurance, outlines what needs to be considering when selecting, and doing business, with a cloud provider. Kerridge emphasizes the point that when you outsource data or services, that doesn’t mean that you outsource responsibility along with it.
Would you send your child to a daycare if you didn’t completely trust the staff? Of course not! You want your child to be safe and well cared for. Small business owners feel the sameway about their organization’s assets and data. When moving to “the cloud,” they want to be sure that the technology resources and data, their business’s life blood, are handled with extreme care.
By the same token, parents and small business owners have some of the same expectations. Their provider must be prudent and experienced, as well as have discretionary hiring standards. Above all, the provider must keep their child or data protected and accessible only to their inner circle.
The main reason many small business owners are turning to cloud computing is the cost savings and efficiency. The global cloud market is expected to grow to $121 billion by 2015 from $38 billion in 2010, according to the research firm MarketsandMarkets. Additionally, AMI Partners expects that by 2015, small businesses will be spending more than 15 percent of their annual budgets on cloud-based services.
Regardless of how the cloud is accessed, as a small business owner, you cannot outsource responsibility. Small business owners must establish and enforce proper due diligence, including vetting providers; writing a solid contract; and mitigating potential exclusivity and other issues for all business relationships surrounding the cloud, including client-to-cloud, cloud–to-third party, and client-to-third party.
Vetting Cloud Providers
Start by making sure that the provider knows and has experience with all of its software applications, protocols and operating systems. Small business owners should also take into consideration a provider’s familiarity with their industry.
Once a provider has been chosen, the business owner must establish clear lines of communication and accountability, as well as set clear performance expectations and monitor how closely they’re being met. Performance isn’t just about up-time. It’s important to ask the provider questions about physical security, employee selection, resource training and monitoring, patch management and disaster recovery.
Drafting a Contract
The next step is to establish a contract with your cloud provider. When reviewing up contract terms, business owners should ensure that the contract shifts an appropriate amount of legal responsibility to the provider. In the event of a data breach, for example the cost of notification, monitoring and other requirements should be the provider’s responsibility.
Further, the contract should state with particularity how and when breaches will be reported and the protocol for responding to them. All cloud providers should be required to have comprehensive insurance, including professional liability (errors and omissions). Before signing a contract, it is wise to confirm that your provider does have proper insurance coverage.
Mitigating Potential Issues
With 31 percent of small businesses citing security and compliance as a top inhibitor to cloud computing, according to North Bridge Venture Partners, it’s also important for small business owners to consider the risks and potential issues associated with utilizing cloud computing. Asking the right questions and taking precautions can help keep data safe. Key factors for consideration include loss of control over relationships, subcontractors and exclusivity.
1. Loss of Control over Relationships
With 14 percent of small businesses using cloud services for email and 26 percent planning to follow suit (1), it is evident that many companies use or plan to use a cloud provider to run applications they rely on to communicate with key partners or customers. Beyond email, companies may use other apps including payment portals, customer service centers and shared sites with vendors. Make sure to establish clear expectations from day one regarding expected response times to inquiries and payments; the proper responses to customer queries (including the preparation of a pre-arranged script); and when to escalate problematic communications.
Transparency is important as well. Some business owners want their customers to be made aware when they’re leaving the company’s website, while other business owners prefer the opposite – running their portals on a cloud that is branded as though it is their own.
2. Loss of Control over Subcontractors
Small business owners should also look very closely at any cloud provider that sends offshore any part of its services, particularly if the provider plans on storing or sending data outside of the U.S.
3. Loss of Exclusivity
The cloud provider must be able to demonstrate that your data will be isolated from the data of their other customers and further, that access to the data is strictly controlled. The provider must treat your data as the asset it is and not merely as a component of its revenue stream.
Another problem with shared resources is that efficiencies can be created only if theresources are, in fact, shared. Cloud providers are creating data centers throughout the world. This could be a problem for a company that operates entirely in the United States and knows and obeys U.S. laws but is less concerned about international laws because it never expects to be exposed to a foreign jurisdiction.
Increasingly, there are new international regulations governing the handling of personal medical information, credit card data and Social Security numbers. A cloud provider should be able to tell its clients precisely where its data is stored and where it transmits.
There is also the issue of who has physical access to servers and other equipment and what security provisions are in place. An occasional visit to a cloud facility can put to rest nagging concerns about physical security and orderliness.
While cloud computing can present new and complex challenges for small business owners, many issues can be managed by proper vetting of the cloud provider and knowing what questions to ask. Switching to “the cloud” does not have to mean a breakdown in securityand accountability. Instead, small business owners must embrace a team approach and bevigilant and proactive. Cloud computing will continue to grow; risk management must stay a step ahead.
(1) Source: Microsoft and 7th Sense Research-February 2011
Learn more about insurance for small professional services businesses online at hiscoxusa.com or over the phone at 888-202-3007. Also visit us on Twitter, Facebook and LinkedIn.
This article does not offer legal, tax, or insurance advice related to the needs of any specific, individual business. Please consult your professional advisor.