Are Small Businesses Safer in the Cloud?

Viruses named Flame and Stuxnet, and now another loss of customer data - this time from LinkedIn.  At the same time, leading small businesses everywhere are implementing cloud solutions like Microsoft Office 365 and reaping the benefits of this low cost/high capability revolution.  Which leads to a question: when it comes to the security of my business data, is there greater exposure to these threats from being in the cloud?

Small businesses are actually safer in the cloud.  Let's take a look why.

Security for your business data is, and always has been, important.  The basic idea is to protect that which you need to keep your business up and running, and out of the hands those with malicious intent.  (In the words of a David Taylor, a colleague in insurance: "don't risk what you can't afford to lose").    Before the advent of computers, businesses locked file cabinets, stored the cash in a safe, destroyed sensitive documents, restricted employee access to sensitive areas and information, and used an alarm system to deter break-ins.  Modern businesses extend those same types of precautions to computer networks and data storage.

But the question is whether putting a greater amount of your business processes and data online - in the cloud - represents a greater risk than an isolation strategy - keeping as much as possible in-house.

There are a lot of variables, of course.  The greater the number of cloud service providers, for example, the greater the potential exposure if any one of their security efforts fails.  But one thought that may cross the mind of a small business owner should be banished - that an isolation strategy might keep their business 'below the radar' of potential hackers, viruses, and malicious software attacks.

The truth is that this type damage to a small business will come from an "automated" attack of some kind - a virus that comes in through the internet or a flash drive.  The reason these types of attacks are called viruses is because the malicious software is designed to replicate itself and spread from computer to computer.  The viruses can wait until they "see" a vulnerability and find a suitable environment to infect and reproduce. This type of viral behavior puts the burden - a significant burden, as it turns out - of prevention on those would potentially be infected.  Under an isolation strategy, the entire burden falls upon the small business owner.

The world of viruses, malicious software, and other attacks is extremely dynamic.  There is (evidently) a dedicated community out there continually seeking new vulnerabilities and developing new viruses.  On the other side, governments, legitimate software companies, and cloud providers are waging a pitched battle rooted in the best security and authentication practices, research, and software upgrades and patches to quickly close a vulnerability or make a preemptive change.  They are employing resources and exercising vigilance levels that cannot be matched by the small business.  They often address the problem before a small business might even know about it.

When you think about this particular set of vulnerabilities, your business is actually safer in the cloud.  There are always basic requirements that every business must follow to keep their data safe (good resource for small businesses here , from NIST).  A medieval corollary is the cottage and the castle.  One might argue that the castle is a greater target than a cottage, but in the face of marauding hordes, the castle is a better strategy.