Prevent your next data breach: the essential security checklist you can't afford to skip
What security and privacy questions should you ask when choosing a cloud software provider? How do you know that your critical business data and personally identifiable information is going to be treated with the care and diligence that it deserves? An important truth is that there is no such thing as perfect digital security but there are steps you can take to reduce your risk. Chances are you and your team are just looking for a software tool that will make you more effective and you are not an expert in digital security. So, what do you do?
I think a great place to start is with a good old-fashioned 5 W’s checklist:
Who are you entrusting your data with?
What data are you storing with them and what processes do they take to protect it?
When will the provider notify you of a breach of security related to your data?
Where does the provider store your data?
Why are you considering a cloud-based software provider in the first place?
Why is arguably the most important question because if there isn’t a good justification for choosing a cloud-based tool, why expose yourself to the risk?
The most likely justification these days is that there aren’t desktop or self-hosted alternatives to a cloud solution. It may also be the case that a cloud-based solution will be more secure than one that your organization could implement - the best cloud providers will have extremely robust controls around privacy and security. It may also be the case that a cloud provider can offer extra value such as curated reference data (Ratio.City’s industry leading Data Catalog for example) or other resources that it would be difficult for you to replicate. If any of these apply to you then let’s look at the other questions.
Who is behind the cloud solution you are considering?
Ideally, it is a company with a history of secure operations and excellent customer care. They should have clearly documented certifications and transparent processes such as Esri Canada’s Trust Centre. Having been a founder of a tech start-up, I encourage you to consider small companies as well. Small companies are unlikely to have the same formal qualifications as a large company, but you can talk directly to the people who run the company and ask them these questions. You will be able to tell if they really care about your security by working on any concerns you have and you will have an opportunity to help shape the product.
What data are you going to store with a cloud provider and what do they do to protect it?
Ask if the provider maintains audited certifications such as those defined by the ISO. Does your data require special certifications such as those related to financial or health records? Does the provider implement security best practices such as multi-factor authentication for users and end-to-end encryption for your data? Providers that take security seriously will advertise their efforts to keep your data secure and be happy to discuss any concerns you have.
When will you be informed of any security issues that arise?
Talk to potential providers and ask them if they have a process in place and what it is. Ask what their thresholds are for providing notifications to you the customer. Do they understand what their obligations are under local laws? Documented procedures and service level agreements are the only reliable indicators of how open a provider will be in the event of a security incident. A related subject is how well prepared a provider is to recover from a serious security event or other disaster. Ask providers if they have a disaster recovery plan and how long you are likely to wait for a complete recovery process and to get access to your data again.
Where will your data be stored?
The cloud is not a truly virtual place – data lives on servers that are in buildings with real addresses. If your data is stored outside of your country, it may not have the same regulatory framework that you are used to and your ability to seek legal protection or remedies may be compromised. It is also the case that your clients (especially government clients) may have rules about where their data can be stored. Ratio.City happens to operate in Canada which has very good privacy protection regulations, and we are fortunate to be able to host our data in AWS’s Canada Central region which relies on Quebec’s highly renewable and robust electrical grid.
If you take a bit of time to get answers to these questions you will be able to find cloud solution providers that will not only provide great tools but help improve your security. I am very pleased to announce that Ratio.City and Esri Canada are now certified under ISO 27001 (organizational security and safeguards), ISO 27017 (cloud services security), and ISO 27018 (personally identifiable information security). We will continue to invest in security for ourselves and our customers and look forward to any enquiries you may have.
