Employees are discovering that cloud storage services are a great way to access work-related data at home and on the road, and to collaborate with co-workers, especially those who work remotely.
Unfortunately, they’re also a great way to make your confidential data insecure – which is why you may need a thoughtful policy covering their use.
Cloud services allow a user to log into an account, upload documents or files, and then access or download them from any device, anywhere and at any time. Users can sync folders across devices, and can also share or sync files with others.
Common examples include Dropbox, Google Drive, SkyDrive and Cubby.
While these services can greatly enhance productivity, they also pose risks, because once employees upload data to the cloud, it’s no longer on your system.
Most cloud providers have pretty good security, but no technology is foolproof – witness the recent release of nude celebrity photos that were stored in the cloud. And it may not even be necessary for hackers to “crack” a sophisticated system. One common hacker technique is to steal usernames and passwords from less-secure sites and use them to try to log into more secure sites. Since many people use the same passwords for multiple sites, this sometimes works.
Also, the whole idea of cloud storage is to be able to access data remotely, and your security is only as good as the network your employees are using at that moment. If an employee is accessing sensitive data on an unprotected home network or using wi-fi at a local Starbucks, your information is not secure.
A hack of company data can be devastating. In the recent Sony case, stolen data included employees’ salaries, Social Security numbers, private medical information and much more. Sony is now being sued by employees in a class action.
Another risk is that cloud services make it easy for an employee who is planning to go to work for a competitor to steal confidential information. In the past, businesses were often able to catch such employees, because they would typically e-mail lots of files to a personal e-mail account in the days before they left. But if an employee has routinely synced his or her computer with a home device, it’s much harder to prove they did something wrong.
Employees can even set up a script at home so that every time a file is added to Dropbox, it is printed on their home computer.
If you ever bring a lawsuit against a competitor for theft of trade secrets, one of the things you will have to prove is that the information was actually “secret,” and that you took reasonable steps to keep it confidential. If you don’t have a policy that limits employees’ ability to upload and share data in the cloud, that’s much harder to prove.
One way to protect yourself is to limit your company to one cloud provider. It’s much easier to maintain security with one company than it is if you let employees do their own thing with whatever providers they choose – especially if the cloud service you work with can give you reports on employee usage.
It may also be a good idea to have a written cloud storage policy and have employees sign off on it.
Among other things, such a policy could say that employees may not upload or share data using the cloud without approval by management, may not use a cloud service that’s not approved by management, may access cloud data only when they have a secure connection, may not download data to home devices or share data with anyone outside the company, and may not share their login credentials with anyone (including co-workers).