There are five basic steps businesses can take to protect their information in the and ensure data remains private:

1. Assets: Know thy data

Context is everything when deciding to share responsibility for the care of data that may be associated with customers or employees.  Ask what kind of data points may be shared.  Will the data be used to directly or indirectly identify individual customers or employees?  How long will the data be used to bring value to the business and to employees?  How might this affect direct customers or related consumers? Will anyone be able to see the data from another country or province? And, most importantly, how will organizations track that the data is actively under management and managed with care?

2. People: Know thy team

Any good coach or leader will say it is critical to know who is on their team and what they do best.  The same holds true when managing private data.  Who is in the supply chain of people, process or technology that will be part of respecting the data under an organization’s care? Some cloud providers move fast and scale quickly, but do not offer specialty services or high levels of protection.  Others offer very specialized analytics but only can manage global contexts and cannot (or should not) undertake a generic prohibition to never pass data over dirt-and-sea-based jurisdictions.  Knowing what a team is not matters almost as much as what they proclaim to be.  In a cloud environment, an organization is just as responsible for true leadership as in a closed company huddle.

3. Process: Know thy systems

What are the everyday, reflexive things that an organization does to make it more likely they can protect data about people?  Are they great at quality checks and balances?  Do they represent more of a “start-up, move fast, take chances” culture?  How do they ensure that their other investments and resources are well deployed?  Organizations need to think about how to leverage the systems they already use and plan how to go with the existing culture as much as possible — adding new layers only where necessary.  They will have a much greater chance of protecting private data if it feels like something their team already knows how to do.

4. Technology: Know thy stuff

If an organization hasn’t considered the assets, people, and process they will need to be a success in the cloud, they really should pause and get that sorted out first.  Understanding what a firm wants to get out of the cloud — a data business plan or budget of sorts — is critical to success.  Organizations can’t skip these steps to play with the technology.  Once they are ready, there are fantastic tools to leverage in support of a data business plan.  Here are a few:

  • User authentication and provisioning: When firms have applications running in the cloud they need to ensure each application is accessible only to the people who need to be using it. This helps guarantee sensitive information doesn’t fall into the wrong hands.

  • Data encryption: Any unencrypted data is inherently insecure. It can be read by anyone who is able to access it. Only authorized users should be able to decrypt data that’s stored in the cloud.  Encryption doesn’t fit all contexts and occasions, but it generally does a nice job of covering assets and regulators like to hear that a business has it.

  • Traffic and device monitoring: Business units or individuals often adopt their own cloud applications without approval from the IT department. Secure web gateways can see these application flows and allow the IT department or other governance systems to get them under control.  If organizations have followed the first rule, “Know thy data,” they can use technologies like data loss prevention to look for specific types of data that should or should not be flowing in and out of the cloud environment.  Similarly, it is important to protect all devices that will be accessing cloud data. This includes PCs, laptops, tablets and smartphones.

  • Situational intelligence: Other “security” technologies can, and should, be leveraged to protect private data based on situational intelligence.  For example, if a business knows they have a database full of hard-to-replace employees and their compensation details, wouldn’t it be great to know whether that asset has been given special attention by a hacker?  Awareness of technical vulnerabilities can lead to better business decisions and priorities if a firm has nailed its data business plan.  

  • Use certified cloud providers: Look for cloud providers who are independently certified as following best security practices. This provides customers with some assurance their cloud provider is doing what they can to protect against external attack or internal leaks.

5. Know thy consequences

Before an organization jumps headfirst into the cloud, it is mission critical to understand what types of consequences a business may incur when faced with a privacy breach. 

  • The biggest consequence a business incurs when faced with a privacy breach is a loss of trust. If a business loses key customer or partner data as a result of a security breach, it can result in customers and partners taking business elsewhere. Worse, customers may recover financially or move on from a security lapse, but it is rare that they will forget that their data was left unprotected. 
  • Once a business is either the victim of a successful criminal attack or is the cause of personal data loss, it can become a media and regulatory darling whose every step or risk may be closely scrutinized and audited.  
  • Important trade secrets or product information can be lost, resulting in a significant loss of revenue and time-to-market speed. 
  • Organizations that are subject to compliance can also face significant fines if they lose private data.  There are also other painful implications to any privacy breach that can destroy an organization’s ability to be effective.  For example, the world will never know what new innovation or exciting new thing could have been created with the hundreds of millions of dollars spent by organizations that are fighting class action law suits, being audited for preventable mishaps or misrepresentations, or distracted by having to recreate a better brand.