25th Feb 2019

How secure is the cloud for business payments?

In its simplest terms, the cloud is just the internet. So when we talk about cloud-based software, we’re simply talking about a software application that’s stored on remote servers and accessible over the internet.

Salesforce, Xero and Slack are all common examples in the workplace.

But are cloud-hosted applications secure enough for corporates and public sector organisations to entrust them with sensitive financial data and bank connections?

To answer this question properly, there are 3 aspects of cloud security to consider:

a) the security of the remote data centres that are managed by the cloud provider
b) the security measures that cloud-based software vendors build in to their own products
c) staff awareness around  protecting themselves online

It makes sense to start by comparing the safety and reliability of cloud-based applications to the alternative: on-premise solutions.

Keeping on-premise servers in your office is far more risky

In a report by Oracle, 83% of respondents rated cloud security as good or better than that of on-premise. In the same report, 90% of organisations categorised half or more of their cloud data as sensitive, showing a high level of trust in cloud security. Here’s why:

1. Data centres are well-resourced

On-premise software is stored in a server room somewhere in the back of your office. If that server room is compromised by a fire, flood, power cut or break-in, then your data is destroyed, with no back-up.

The fact is, any trusted data centre has far more resources than your IT department. Whilst you may be able to see the server hosting your on-premise application, your IT team are probably juggling multiple projects and simply don’t have the time or the budget to invest 6 or 7 figures into sound foundational security like trusted data-centres can.

2. Extra security, less cost

With security threats changing all the time, organisations hosting on-premise software must account for that themselves by investing in costly but appropriate security measures – whether that’s physical security, firewalls or other threat detection solutions.

Cloud-based software is bolstered by preventative measures from both the data centre and the software vendor, so organisations taking advantage of the cloud effectively benefit from a higher grade of security within a compliant framework, at less cost.

3. Disaster Recovery

Most trusted cloud providers will offer some form of disaster recovery (DR) designed specifically to prevent unplanned outages, offering peace of mind, which most on-premise servers cannot really rival.

One example of this is geo-redundancy, which means that if there’s a problem affecting one data centre, another server (usually in a different part of the world) will kick in automatically, causing minimal disruption and losing only seconds worth of data in the worst cases.

4. Offsite back-ups and storage

The cloud effectively acts as a secure off-site storage facility which has its own automatic backups. The average cost of phishing and social engineering attacks for UK businesses is £960,000 – and it can take 20 days to deal with them, so having some form of back up storage in place is near-enough essential for any business.

“Insisting that data remain on-premise is like arguing that money should be stored under a mattress or buried in the backyard. The added control actually becomes a liability to the money and a wad of cash under your bed cannot be invested, nor is it secure.” – Rick Spicklmier, CTO of Birst

What other security measures do cloud applications have in place?

Security standards vary from application to application. But any cloud-based vendor worth their salt will have at least 3 types of security layers built into their application:

1. Access – Vendors look to protect user accounts by recommending authentication and authorisation policies, offering security tools like two-factor authentication and IP whitelisting to ensure online access is controlled.
2. Data security – Vendors look to protect data in transit and ‘at rest’, with multiple layers of sophisticated end-to-end encryption. So, in the event of a breach, highly sensitive information is more likely to remain secure. Indeed, these layers of encryption can be implemented for in-house software, but not without significant upfront costs.
3. Monitoring controls – These provisions detect threats and alert the relevant people to control the situation.

The big advantage to organisations is that cloud-based vendors will take care of all of the above provisions at no extra cost because delivering a secure, reliable working environment is at the very core of their service.

Even with all of these additional security layers, there are still a few things you can do internally to protect your organisation further.

What can you do?

Like it or not, the stats say that the biggest risk to the security of cloud applications is customers themselves: “through 2022, at least 95% of cloud security failures will be the customer’s fault”. Most breaches are expected to involve privileged credentials such as passwords.

In response, Jay Heiser, Research VP at Gartner states that CIOs must change their line of questioning from ‘is the cloud secure’ to ‘am I using the cloud securely’?

If you’re considering migrating over to the cloud from on-premise, start by taking some time to consider the vendor’s security policies, as well as those of the cloud provider hosting the service.

Also, take advantage of the security layers on offer to you. This can be as simple as putting staff password policies in place and utilising in-app security tools like two-factor authentication or segregation of duties; a walls-up approach which many vendors offer as part of their service.

In summary…

It’s true that a lot of cloud-based applications had teething problems in their infancy, which spurred the rumours of unreliability that still plague boardrooms today.

But the technology has matured greatly since then and is arguably the best option for modern businesses.

Not only does it provide businesses and public sector organisations with improved security and solid disaster recovery mechanisms in comparison to on-premise servers, but it can offer far more benefits in terms of integration, real-time data application and cost savings.

Of course, not all cloud applications are created equally, so do your research and choose your software vendor wisely. A good vendor will always work with a reputable hosting company and will have its own robust security measures in place to protect your organisation.

As long as you have a reliable vendor and an educated workforce, then cloud-based software is, without a doubt, the safest option for your finance and treasury team.