As a large company handling a high volume of data, we use a cloud computing service provider to store our data.  What are the best preventative security measures my company can take to protect my sensitive or confidential information?

Most companies are moving to cloud computing for electronic storage because the cloud both increases efficiency and reduces information technology costs.  But the business advantages of cloud computing often obscure the potential risks.  Companies must consider what kind of data they are putting into the cloud.  Sensitive, critical or regulated information should be subject to robust protection.  The best way to ensure this is done is through your company’s contract with a cloud computing service provider.  Through a properly drafted contract, you can segregate vital information from run-of-the-mill data and impose additional security by, for example, adding native-level encryption or imposing multi-factor authentication.  Just as importantly, in the case of a security breach, taking and documenting these steps helps a company credibly explain that it made its best effort to protect sensitive or regulated information.

In addition to working with your cloud provider on data security, your company can also implement common sense procedures to better protect vital information.  Reducing the number of employees of with access to vital data, training employees on password security methods, imposing multi-factor authentication on all users of your company’s network, and encouraging communication between employees about suspicious emails or network activity are all low-cost methods of increasing data security.

When contracting with a cloud computing service provider to store electronic data in the cloud, can I help protect my company’s data through certain contractual provisions?  If so, how should I go about doing so?

Cloud computing contracts provide the best avenue for your company to ensure that your cloud provider uses up-to-date and transparent measures for intrusion detection, reporting, and security audits.  Companies placing sensitive, confidential or regulated data in the cloud need to ensure that the cloud provider communicates with them during every step of the data oversight process.  Companies also need to confirm that their cloud provider regularly updates its security and encryption methods.  In addition, your company’s contract with its cloud provider should clarify the encryption level for data at all stages of its flow through the system.

Beyond these obvious security-related provisions, enterprises should use the contracting process to understand exactly who at the cloud provider will have access to their data and where their data will be stored.  Part of understanding what kind of cloud service you’re getting involves knowing what categories of employees at the cloud provider will process your information.  This includes knowing whether the cloud provider uses any subcontractors.  As for data location, where your cloud provider’s servers are located and how your data is transferred impact key issues such as legal jurisdiction, data privacy laws, and export control regulations.  Not all form contracts used by cloud providers give clarity on these issues, but companies working with sensitive electronic data need to pull back the curtain and pin them down prior to signing on the dotted line.

Cyber criminals often exploit the weakest link in the data chain.  What are some examples of these weak links, and how can we avoid them?

For all electronic data communication and storage, data users – primarily comprised of a company’s employees – are the weakest links.  While companies certainly can’t eliminate data users, they can do four things to greatly reduce the chance that cyber criminals will use this “weak link” to steal or sabotage their most sensitive information. 

First, companies should reduce the number of employees with access to sensitive, confidential or regulated data.  The fewer entry points to the data, the harder it is to hack. 

Second, companies ought to employ policies concerning those most important categories of information.  For example, if your company is a retailer and employs “big data” metrics to track its customers, you need to make sure that all employees understand the sensitivity of personal customer data and how to handle it. 

Third, companies need to train employees on proper password security and impose strict requirements on changing passwords and not re-using network passwords for other applications. 

Fourth, companies should require multi-factor authentication for access to company data.  Using more than one factor of authentication, such as using a code sent to a smartphone before an employee can log on, creates an additional layer that a cyber criminal would have to navigate before gaining access.

Another weak link, though less exploited than lax data users, involves non-encrypted or lightly encrypted transmittals of data.  Sophisticated cyber criminals are often capable of attacking at the weakest level of encryption, which is why companies should ensure that their most vital data is protected at the highest encryption level practicable.  The National Institute of Standards and Technology (“NIST”) Cybersecurity Framework provides an excellent measuring stick, as it validates industry-standard encryption.  Indeed, recent proposed changes to U.S. export controls regulations include a requirement that companies exporting regulated data use encryption standards certified by the NIST.

If my company's data is compromised, what steps should I take?  Should I immediately contact and/or work with law enforcement?

The first matter to attend to is the creation of a plan for dealing with a cyber intrusion.  Surprisingly, few companies have a cyber incident response plan setting out what employees should do.  Upon an intrusion, a company’s management team should be focused on containing the problem, reducing its impact, and preserving as much vital information as possible.  Without an actionable plan, a company facing a cyber incident will be scrambling to create procedures for dealing with issues on an ad hoc basis instead of implementing a systematic policy designed to minimize harm.

Law enforcement provides an important resource for a company in the midst of a cyber incident.  David Laufman, current head of the counterespionage section of the U.S. Department of Justice’s national security division, has noted that only the government has the capability of understanding the full scope of cybercrime because government agencies see trends through their widespread investigations.  During the Sony hack, for example, U.S. government agencies updated malware and shared it with companies to improve their security.

Before opening your company’s doors to the government, however, you should consult with legal counsel familiar with technology and cyber incident management.  A company faced with decisions about how it should interact with the government, the types of actions it can lawfully take, when and how it should report the loss of confidential information, and what its potential liabilities are for taking (or failing to take) remedial measures should consult with knowledgeable legal counsel.  Timely and accurate advice from counsel can go a long way toward diminishing the negative impact of a cyber intrusion.