[Expert Interview] Are You Keeping Your Clients’ Data Secure Enough?

2017-11-09T20:14:25+00:00 November 9th, 2017|Blog, Risk, Vulnerability|

There’s a rumor out there that it’s safer to use paper-based methods and store data on your hard drive than to keep it in the cloud. In the cloud, your data is out of your hands. There’s no telling what could happen to it.

But is that really true? If I’m your client, I want to know you’re using the best methods to keep my information safe. So which is more secure—paper or the cloud?

We wanted to get the perspective of someone who works in the trenches of data security. So we sat down with privacy and information security attorney Scot Ganow and asked him for his take on the issue. Here’s what he had to say.

Paper vs. Cloud: Which Is More Secure?

Q.  Scot, tell me about your work.

A.  My practice focuses on privacy and data security. So, I assist clients of various sizes in pretty much any industry, in handling matters pertaining to data governance. First, we assist clients in assessing their data governance obligations and help them develop programs to properly manage their information. Second, when incidents arise, we assist clients in responding accordingly, whether they’re dealing with regulatory investigation, or litigation pertaining to a security incident, or a data breach involving compromised or unauthorized disclosure of protected information.

I haven’t always been an attorney. I worked in corporate healthcare and technology companies for about ten or twelve years before going to law school. My hope with my practice is bringing data privacy and security in line with (clients’) other critical business operations so they can stay in business—and, more importantly, capitalize and thrive in business.

Q.  Cloud storage is becoming the accepted standard for storing data, but some security consultants don’t trust the cloud. They think paper and hard drives are safer. Is that a myth, and what do you recommend?

A.  I wouldn’t say it’s a myth, per se, as it’s mainly a misperception….I’ve been at this long enough that I recall when “the cloud” was a bad word, because no one understood it. There was that perception that, “I’ve lost control of my data (when it’s in the cloud), so it’s less secure than if I have it on my workstation here in my office.” I’ve seen that perception change.

A cloud-based solution isn’t always the answer, but it can be an effective solution—for various reasons. One, (cloud service providers) may be able to secure your information better than you can because that’s their business: to manage data and do it securely. That’s their focus, data is their business. Just like the same reason I hire someone to do drywall for me—because I’ve done it, and I’m horrible at it! Sometimes you just give it to someone who’s better at it.

They often use better security, and more importantly, they’re constantly keeping up with solutions to manage and patch against all the risks—which you may not have time to do, or your one-person IT shop might not have the time to do. That’s not what you do…you don’t secure data, that’s not your business.

So, in many cases, a cloud service provider can provide better services to safeguard your data than you ever could.

Secondly, the benefit of using a cloud service provider provides some redundancy. So, when your building goes up in flames or gets hit by a hurricane or you lose that desktop because you haven’t patched it or you’re running Windows XP…when you lose that copy, you’ve got a backup.

So there’s lots of reasons why you use that cloud service provider, or a backup system to maintain copies.

Another common misperception is that in giving data to a cloud service provider you can’t control what they do with the data.  While you may not have physical control of the data, you can ensure your service provider implements reasonable administrative, technical and physical safeguards. And while you may not be able to physically visit and audit such cloud service provider housing your data, you can secure regularly scheduled audits to ensure your commitments to your clients are maintained.  

So if you’re trying to pitch to a client, and you want their business, and they’re asking, “What’s your data governance plan? What’s your security plan?” Well, a lot of times—I’ve very rarely found a small business or a business in general that (can keep data secure) by itself. But I can tell you a cloud service provider outsourcing company is compliant. And that scores a lot of points for your clients when you can show, “I use this third-party service provider. They carry this insurance, they have this service rating, they have these audits. This is my…solution.” That scores a lot of points, because you’re less of a risk to partner with.

Recommended reading: Top Things Your Physical Risk Assessment Customers Wish You Were Doing

And I’m finding more and more, that’s the cost of doing business. It’s not just a nice-to-have or requirement for regulatory compliance. Customers are expecting it. “If you want my…business, you’d better show me you’re not gonna put my data at risk by partnering with you, even if you’re (just) a five-person startup.”

Q.  In your experience, are there common mistakes you’ve seen companies do with their data security?

A.  Oh, sure. Lots of different areas. The most common, most consistent mistakes that I’ve seen—whether on a small or large scale—is…they are not taking the time to assess the risks to their data. They’re not conducting risk assessments, they’re not doing a risk analysis and implementing solutions to fix any problems they find….The most recent and most notable breaches have involved systems not being patched. Right? I mean, think about that.

Another area that I continually see ignored, or just not embraced, is training. Employee training and awareness programs. Employees are the number one risk, year-in and year-out, to companies. They top the surveys every year. It’s not the hacker in the hoodie—because you know all hackers wear hoodies, right? [Laughs] It’s employees.

And it’s not that they’re malicious or ill-meaning employees leaving the company. It’s the employee that just doesn’t know any better, because they haven’t been trained….So what do they do? They click on a link. They didn’t encrypt data when they sent it. They did something that you weren’t supposed to do. Not maliciously, they just didn’t know any better or just didn’t care enough to follow procedure.

Training is one of those things that costs very little but bears lots and lots of fruit.

Q.  What’s your advice to professionals who feel that if they have something on paper, it’s going to be safer? Because you can’t control it once it’s digital, right?

A.  So let me just acknowledge, I’m one of those people that loves paper. I just do. So I get that, and I definitely appreciate that.

Let me give you an example to illustrate the point. I do a lot of privacy awareness security classes for parents’ groups, teachers’ groups, whatever. And the common question I always get is, “What about online banking?” People will tell me that in this day and age, they don’t trust the banks. They don’t want to keep anything online, they want to do everything with checks. The idea is, if it’s not out there, it’s less risky.

But the reality is, the data is there anyways….The bank is putting the data up there (in the cloud) anyways. The transaction, the account balances, are up there anyways. Just because you’re choosing not to enter the data doesn’t mean it’s not out there.

So if I’m a security consultant, and I do everything on paper, okay, that’s fine. But how are you going to share and communicate it with others? So if I’m a consultant and I do an assessment for a client and I write that report in the word processor and I print it out, I give it to them on a clip—do you honestly think they’re going to keep it on paper? They’re probably going to scan it and use it and email it and do different things with it as well.

So I think it’s an illusion that the data will always stay that way or that the data isn’t already there (in the cloud) anyways. Because that’s just the nature in which data moves today, as opposed to, you know, ten years ago.

Q.  You mentioned emailing a PDF. If I email a document to a client, am I taking risks then as well?

A.  Exactly. There’s always risk. But it always comes back to the question of, How does your client really use the information in the first place? Can you send it in the U.S. mail to be delivered by hand? Sure, but is that convenient to me, as your client? You’re balancing convenience and practicality with security. They operate inversely with each other sometimes.

In the end, anytime you introduce other people, you’re introducing risk. Whether they’re people who should have the data in the first place, or not. You just can’t avoid that anymore.

Q.  Many consultants take notes on paper. How secure is the paper itself? Should consultants be concerned about that?

A.  It wouldn’t be different from anything else you’re managing from a physical perspective—whether it’s a thumb drive, whether it’s a physical document, whether it’s a folder, or a laptop in your bag. The physical security is really the question, more so than the actual paper itself. And how you maintain that security. Do you maintain the appropriate security around that, as far as whether people can access it?

Honestly, when it comes to reducing things to paper, putting things in writing, there’s a reason people have verbal conversations. There’s a risk to having anything in writing.

But beyond that, you absolutely have to safeguard your (sensitive) information. I carry a lot of paper around with me, as an attorney. So, it’s not so much about the paper—it’s about, Do I have the good physical security practices in place to keep that information secure from unauthorized disclosure?

 

Thanks for your time, Scot.

Absolutely. I love this stuff. And it’s important! I think data governance scares a lot of people away, but they shouldn’t be scared of it…Just get started.

Circadian Risk Keeps Your Data Safe

Security consultants that use Circadian Risk don’t have to worry about their clients’ data. We use secure cloud storage options that are designed to give your data the best protection possible. Don’t trust your laptop or office environment to keep your clients’ private information safe. Make the move to Circadian Risk.

See our software for yourself—schedule a personalized demo today!

Subscribe to the Blog

  • This field is for validation purposes and should be left unchanged.
Daniel Young

Daniel Young is the Founder and CEO at Circadian Risk Inc. He was a Regional Bioterrorism Coordinator, Security Account Manager, and has been a security and risk expert for over 10 years.