Employers are discovering that cloud storage services are a great way to access work-related data at home and on the road, and to collaborate with co-workers, especially those who work remotely.
Unfortunately, they are also a great way to make their confidential data insecure – which is why you may need a policy covering their use.
Cloud services allow users to log into an account, upload/download documents or files, and then access or download them from any device anywhere and at any time. Users can sync folders across devices and can also share or sync files with others.
While these services can greatly enhance productivity, they also pose risks, because once employees upload data to the cloud, it is no longer on your system.
Most cloud providers have pretty good security, but no technology is foolproof – evidenced by the recent release of nude celebrity photos that were stored in the cloud. It may not even be necessary for hackers to "crack" a sophisticated system. One common hacker technique is to steal usernames and passwords from less secure sites and use them to try and log into more secure sites.
Also, the whole idea of cloud storage is to be able to access data remotely, and your security is only as good as the network your employees are using at that moment. If an employee is accessing sensitive data on an unprotected home network or using Wi-Fi at a local Starbucks, your information is not secure.
Another risk is that cloud services make it easy for an employee who is planning to go to work for a competitor to steal confidential information. In the past, businesses were often able to catch such employees because they would typically email lots of files to personal email accounts in the days before they left. However, if an employee has routinely synced his/her computer with a home device, it is much more difficult to prove that they did something wrong.
One way to protect yourself is to limit your company to one cloud provider. It is much easier to maintain security with one company than it is if you let employees do their own thing with whatever providers they choose – especially if the cloud service you work with can give you reports on employee usage.
It may also be a good idea to have written cloud storage policy and have employees sign off on it. Among other things, such a policy could specify that employees may not upload or share data using the cloud without approval by management, may not use a cloud service that is not approved by management, may access cloud data only when they have a secure connection, may not download data to home devices or share data with anyone outside the company, and may not share their log-in credentials with anyone (including co-workers).