Is your data in the cloud? It’s still at risk of cyberattack

Many business owners believe they can transfer cyber risk by moving data to the cloud. In fact, cloud solutions usually don’t resolve cyber exposures like data breach or computer attacks. And the additional risk of cloud service outages can result in losses of $1 million or more.

Here are some points to consider when choosing and using cloud-based data storage.

Data breach

A survey conducted for Hartford Steam Boiler (HSB) by Zogby Analytics found that three-quarters of U.S. businesses use the cloud for data storage, including employee Social Security numbers, customer names, credit card numbers, proprietary information and trade secrets.

Approximately 26% of the senior executives questioned said their company had experienced a data breach and one-third of those businesses spent $50,000 to $100,000 to respond to each incident. A fifth of the companies spent more than $100,000.

Third-party involvement in a breach and extensive cloud migration at the time of the breach increases the cost of responding, according to the Ponemon Institute’s most recent study sponsored by IBM.

In many states, it is the duty of the data owner, not the cloud provider, to investigate the cause of a data breach, notify affected individuals, and report the breach to the appropriate law enforcement officials.

In addition to the cost of legal counsel, information technology services and notification, a typical breach often requires possible data restoration and may include public relations assistance or the payment of court settlements, fines or penalties.

Related: 5 approaches for putting insureds first

Cyberattacks

It doesn’t matter where your data is stored if your network shuts down because of a cyberattack. A distributed denial of service attack or malware infection can keep you from accessing your data, using your devices or conducting any business that relies on your data network.

A report by Dimension Data showed that ransomware attacks, in which criminals encrypt business data and demand payment to unlock the information, increased 350% in 2017.

Even if your data is stored in the cloud, you may not be able to access it if sophisticated types of ransomware attacks are used. A ransomware attack can disable access to business applications as well as data, resulting in significant downtime and loss of business.

Fraudulent funds transfer

As hacking tools become widely available, some cybercriminals are honing their skills and using more advanced tactics to steal private data.

In so-called social engineering schemes, for instance, hackers infiltrate a business data network and persuade unwitting employees to click on dangerous Internet links or open computer files that contain malicious computer code.

Social engineering is usually used in tandem with deceptive emails that look as if they originated from a senior executive, business manager or vendor within an organization.

Cybercriminals then direct employees to transfer company funds to fraudulent financial accounts, individuals, or phony entities controlled by hackers.

U.S. businesses report an increase in suspicious emails. HSB’s cyber survey showed more than a third had received an email during the past 12 months from someone pretending to be a senior manager or vendor requesting payments.

Almost half the employees receiving those emails responded by transferring company funds with losses most often in the $50,000 to $100,000 range, and rarely less than $10,000.

Related: Pressing tech issue: Enterprise software vs. cloud computing

Cloud service interruption

Almost half the businesses polled by HSB reported having a cloud service interruption.

Of those suffering a cloud outage, 77% had a business disruption with the costs in some cases significant — more than $1 million in 34% of those cases. Another 30 of businesses reported a cloud outage resulted in losses of $250,000 to $1 million.

It’s not surprising, since so many companies reported much of their data was accessed from the cloud.

The survey found that of the 74% of businesses using the cloud for data storage, 86% of those companies had at least 20% of their IT services are cloud-based. Nearly half (44%) said more than half of the services were, and 15% said 75% of IT services were in the cloud.

Imagine what the loss of access to those services would do to their business operations and income.

It’s up to you to keep data safe

The experiences of businesses, big and small, show that cloud storage and the contracting out of functions such as payroll do not alleviate all of the cyber risk.

Vendor due diligence and cyber insurance can help keep information secure and prevent financial losses and damage to a company’s reputation. So, it’s especially important to assess your cloud vendor’s cybersecurity and review your business insurance coverage.

How long has the cloud vendor been in business? Can it provide the level of services that match the sensitivity of your data? What data collection and system security measures are in place? Ask about their disaster recovery capabilities, privacy policies and incident response plans.

Cyber insurance is essential to help protect a business from a data breach, cyberattacks and fraud. Some insurance policies include broad recovery and legal services to help a business respond to a cyber incident and can cover lost business income resulting from cloud outages.

Cloud services are convenient and can help control operating costs. But don’t forget, you are still responsible for the security of the data you keep.

Related: Technology’s impact on P&C insurance in 2019

Timothy Zeilman (Timothy_Zeilman@hsb.com) is a vice president with The Hartford Steam Boiler Inspection and Insurance Company, which provides a range of specialty insurance products. He is responsible for the global development of insurance coverage and services for data breach, cyberattacks and identity theft.

These opinions are the author’s own.