If you are using a popular cloud app such as QuickBooks, HubSpot, RentMagic, Yardi, Tableau, TobiiPro, Dentrix, AbleDent or anything else, you might assume everything is secure. And that is true. It’s also false. Here’s what you need to know about your IT security responsibility for any cloud software you may use.
Cloud Security Is a Shared Liability Between You + Your Software Provider
Your cloud service providers have responsibilities to you, for protecting your data, but you also have responsibilities in protecting your data and the data of your clients.
The ways in which you and your team apply (or fail to apply) best practices for data security will be a big factor in whether you protect your business or end up with a breach.
If you read the fine print in your cloud software terms of service, you should find wording on shared responsibility for cloud security. Let’s get into it.
Shared IT Security For Small Business Owners
It does not matter what cloud software or infrastructure you choose, you are responsible for securing your own space within that cloud environment and also securing all endpoints (computers) that will connect to your cloud services.
In other words, just because your business uses a cloud service owned and maintained by another company does not mean you can take security for granted. Insufficient due diligence is one of the top reasons for security failures.
Cloud security concerns fall into two general classes:
1. Security dilemmas encountered by cloud providers (SaaS, PaaS, and IaaS providers)
2. Security dilemmas encountered by customers of cloud providers (organizations or enterprises that store data or host applications on the cloud.
While cloud providers must ensure the defense of their cloud infrastructure, customers must:
• Understand relevant laws and regulations for compliance and risk management.
• Choose the right people to support technology.
• Use trusted software from reputable vendors.
• Use Identity Management to apply policies and conditional access rules across all devices connecting to practice data, and to bound all approved devices that are allowed to access practice data to the domain and deny all others from access.
• Continuously monitor endpoints (computers) for cyber threats, compliance and risk concerns.
• Continuously patch and update all endpoints to protect from vulnerability in software code exploited by would be attackers (daily or weekly).
• Use strong passwords enforced by policy on all devices accessing practice data.
• Not allow staff to share logins, passwords or email accounts.
• Use 2 factor authentication on all email accounts, enforced by policy on all accounts connected to practice domain.
• Have secure processes to revoke all access from staff when they leave the practice (secure offboarding).
• Consider enacting a no-file-download policy to local computers. Additionally, file editing should be done over the cloud, making it easier to control data security and manage files if and when an employee leaves the organization.
• Considering portability between databases.
• Maintain backup and disaster recovery frameworks for all patient data, including digital radiographs, as well as all practice email communications.
All these cyber security requirements fall outside the scope of responsibility for any cloud app you may use, and they land squarely in your court.
Given the complexity of technology management paired with ever changing technologies to thwart evolving cyber threats, more small businesses than ever have turned to outsourced IT management.
Managing Security Outside Your Cloud Software
You have a lot of technology to manage outside your cloud apps, including but not limited to:
• Cloud or local servers
• Cloud or local computers
• Web and email domains
• Identity control systems
• Email accounts
• Any personal or mobile devices staff may use for business email access
• File storage, downloading, forwarding etc
• WiFi & network switches, modems and routers and more
Each one is vulnerable to multiple security threats. Each one must be reasonably secured and managed. A Managed IT Services Provider (MSP) will manage all of the above for you, for less than the cost of hiring a dedicated IT employee.
Using best practices, Remote Monitoring & Management tools (RMM) and automation, your MSP will apply and maintain best practices in cloud security that protect client data, and reduce risk and liability.
The DIY IT Option
You can opt to manage all your technology yourself.
If you do decide to DIY, take a cyber security course, and make time to create password security policies and acceptable use policies for all your staff.
We don’t recommend this option because there is simply too much that falls under the “you don’t know what you don’t know” axiom, especially when you have a team sharing data, working remotely, and so on. The tools and skills needed to maintain security for a modern, mobile team take years to learn.
The Outsourced IT Option
You can to outsource your IT by hiring a Managed IT Services Provider in Toronto – or wherever you are located.
You can choose basic endpoint management only, which offers good antivirus and EDR and Application Security Controls as well as automated software and computer patching to protect against many common threats.
However, basic endpoint management does not include the tools and services you need for cloud security and mobility. Things like a central way to track user logins, or control who can access what files and folders, or who can log in to company email from specific computers only. These types of services fall under Identity Management solutions. You can get them with a more comprehensive Managed IT Services plan.
For robust IT Governance, Risk and Compliance solutions, a Managed Security Services Provider like TUCU can help.
Without managed security in today’s world, everything you have built is at risk.
Schedule your free consultation now to discuss your IT management for everything outside your trusty cloud app.