Cloudy thinking: Why concerns about the cloud don’t translate into caution for most firms

By Christian Toon, Risk and Security Specialist at Iron Mountain.

  • Monday, 4th November 2013 Posted 11 years ago in by Phil Alsop

It’s 3 a.m. do you know where all your company data is? The chances are that some of it is in paper format around the office; some is stored electronically on PCs, shared drives and servers; and probably more than you expect is being carried around on employees’ personal devices or in their homes. However, for at least three quarters of you[1], a growing proportion of your business data will be offsite ‘in the cloud.’


The cloud delivers many business benefits, including flexibility, scalability and cost-effectiveness. In today’s increasingly international and mobile business environment the cloud offers seamless and universal access to a central repository of information and applications. Yet many firms remain concerned about the cloud. Given that the concept ‘cloud’ storage has only been around for about five years or so and covers much more than just data storage, this is, perhaps, hardly surprising..


We recently surveyed 1,200 business decision-makers in Europe[2] to explore their interest in and concerns about storing information in the cloud. We found that companies across Europe are particularly concerned about the risks of placing sensitive data in the cloud, with concerns including the security of data centres (listed as a top risk by 57 per cent of respondents), the potential for damage to data integrity (49 per cent), the likelihood of the data being accessible to others (41 per cent) and legal jurisdiction and compliance issues – often referred to as ‘data sovereignty’ (38 per cent). Sovereignty is determined by the geographical location of the data. Some information, such as HR records, is legally bound to remain within national borders, but data centres can move data between facilities leaving customers unsure as to where their records reside.


Despite all this, an overwhelming 76 per cent of the companies we spoke to already have or are planning to move data into the cloud over the next 12 months. Furthermore, they seemed to have few qualms about the type of data to be moved, something that would appear to be at odds with the significant concerns expressed above.


Many respondents believe the cloud is appropriate for most kinds of information – even that which is clearly sensitive and confidential. This includes customer information (49 per cent of respondents), employee information (46 per cent), historical information for compliance purposes (46 per cent), and corporate information, such as strategy and policy documents (46 per cent.) A surprising 32 per cent believe it is fine to put financial and tax information, including company accounts, into the cloud. In fact, the only types of information that companies preferred to keep close to home were intellectual property and corporate secrets, but 14 per cent of those surveyed would readily send it into the cloud.


Our study discovered that 86 per cent of business leaders in Europe believe they relinquish responsibility for the security of their data once it’s stored in the cloud. They are mistaken. EU law places accountability for lost or compromised data firmly in the hands of the owner[3], not the service provider.
This is all the more worrying when you reflect that 85 per cent of respondents claim to perform due diligence or other checks on potential cloud service providers. So why is the the message about accountability not getting across?


Cloud-based data storage is an almost inevitable option for companies trying to manage a surge in data volume, variety and velocity – otherwise known as ‘big data’ - and it can be easy to forget that all that information still ends up being stored in a physical location somewhere. Data centres are not infallible: they can suffer power outages, flood or fire, for example. In the worst-case scenario, this can lead to data corruption and loss. It is therefore vital to ensure that important information always has a secondary back up.


It was reassuring to note in our study that many companies appreciate this. We found that 22 per cent of respondents relied on Tape as a secondary back up for information stored in the cloud, with a similar proportion (21.5 per cent) depending on Disk and 11.5 per cent using both Tape and Disk.
However, a fifth (21 per cent) of respondents are planning to implement a potentially high-risk cloud-only storage model for all data, with no secondary back up in place. For these firms a lack of appropriate caution could have far-reaching business continuity, financial and brand implications should anything go wrong.


Cloud storage offers many benefits, but businesses need to do their research and choose carefully. They need to apply common sense to what data belongs in the cloud and what should be stored elsewhere. Most of all, they need to understand and accept full responsibility for their information, wherever it is kept. This brings us back to the opening question. If you don’t know the where your information resides, now might be a good time to find out.


[1] Research by Opinion Matters on behalf of Iron Mountain, carried out between 30/11/2012 and 14/12/2012. Sample: 1,275 IT Decision Makers, Finance Decision Makers, Legal Decision Makers UK, France, Hungary Germany, Netherlands and Spain in mid to large businesses (50-5,000 staff).
3 As above.
3 The UK’s Data Protection Act and the EU Data Protection Directive state that ultimate responsibility for security lies with the ‘data controller’ – the one deciding how and why the data is being stored and processed.