A Turkish Taxi or Going to the Cloud

Still Responsible: Did you know that when you take a taxi cab in Turkey and there is an accident while you are in the car, then you, the passenger, are liable for the damages?  Why? Because you hired the cab.  That is like a lot of businesses these days that are “going to the cloud.”  Businesses think that solves all of their cybersecurity problems, but that is not the case. The business is still responsible.

The Regulations: For most businesses, they have at least one set of regulatory compliance rules to abide by when handling data.   If your business accepts credit cards as payment, you are subject to the Payment Card Industry Data Security Standard (PCI DSS).  If you track any Personally Identifiable Information (PII) on your customers or employees, you are subject to the Privacy Act.  If you are a health care provider and handle Protected Health Information (PHI), you need to be compliant with the Health Insurance Portability and Accountability Act (HIPAA).  Healthcare providers have the trifecta of data protection liability – having PCI, PII, and PHI to worry about.   In the cybersecurity world, regulatory requirements drive your data security plan. 

Data Security: The definition of data security from www.technopedia.com/definitions/26464/data-security is “protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites.” In other words, data security is how you protect your customer’s data.   Although there are many laws, regulations, and guidelines, they do not dictate how to implement the protective measures.  It is up to the individual business owners to decide how.   This is important because the business is held legally responsible for any privacy breach that may occur.  Whether the data is in the cloud or in your back office data closet, the business is responsible for its protection.

Does the Cloud Solve my Data Security Problem?: Some business owners think that if they push their system to the cloud then the cloud service provider will be responsible for everything and they are freed from the worries of data security.  Many cloud service providers offer Software as a Service (SaaS) solutions for just about every application these days, making it a turn-key solution for many businesses.  One example is Office 365.  This reduces local IT costs and in most cases provides an increase in service.   In many cases, the business can coordinate with the provider to pay for controls like encryption and firewalls in the cloud.  Sounds great, doesn’t it?  So where’s the problem?

The cloud customer decides who gets access to the application.  The employees are usually working from a laptop, desktop, tablet or phone to access the application. 

Threats to Your Data: The cybersecurity threats to the data associated with these end points are numerous.  If any of the end devices get key-logger malware (malware that records your keystrokes), the hacker now has access to your cloud data from anywhere in the world.  If the data is sent unencrypted to the cloud, you are subject to interception of your data with what’s called a man-in-the-middle attack.   This happens often when using public Wi-Fi hotspots.   Employees are susceptible to social engineering where they are tricked into clicking on a malicious link or even provide their password information over the phone. As we noted in other articles, the dark web has usernames and passwords available from previous breaches.  If people re-use their passwords, the hacker may have access. 

Your Due Diligence: Even in the cloud business owners must have due diligence with data security because they are liable.  Your employees need cybersecurity training.  Their devices should have antivirus and endpoint detection monitoring – agents watching for unusual behavior.  Businesses should have cyber insurance to transfer the risk in case a breach occurs despite best efforts.

Your Choice: So, if you are in Turkey and you have a choice between a taxi and a bus, you may want to take the bus.