Of course, there are a lot more than five things to consider if you are looking at implementing a cloud computing solution. Whether you are using ‘software-as-a-service’ (that is a ready-made hosted application like an accounts package or a CRM solution) or you are building something for yourself there are, however, some key questions that keep coming up, so I thought I’d share some answers with you.
1. What about my data?
The two key data questions are about where your information is stored, and how secure it is.
Firstly, where geographically are the servers located? In certain sectors, regulatory compliance means that your data must be stored within the EU, for example, so you can’t just sign up for something without asking this question.
Make sure you check the compliance standards set by any professional body to which you belong, and ensure that your cloud providers meets these standards.
Then you might consider the processes by which the provider operates – do they have access to your data, and how is that access regulated? You may not mind too much if someone can look at your invoices, but if you are storing confidential personal data about people then it may be a more significant issue.
Also, establish how easily you can recover your data and be sure that you are able to get it back in the event of the provider failing. This is, to my mind, the biggest risk that you face by going onto a cloud platform, so be sure that you can get everything out of the system. Bear in mind, though, that it will probably be some form of database dump into comma-delimited files, so may need a fair bit of work to become useful again!
2. What about hackers and security?
The facts are that most small businesses are not really of interest to hackers. Nobody is really all that interested in your VAT returns, so the likelihood of you being the target of a sustained and deliberate attempt to get hold of your corporate data is remote.
However, there are plenty of mischief makers about, and they will hack and damage stuff just for the kicks, and that could include your data.
Things are getting better, though, as people become more aware, and users are more experienced and better trained to avoid scams. A recent report by PwC on behalf of the Department for Business Innovation and Skills determined that 22% of small business suffered a staff-related security breach, as opposed to 41% the previous year.
The report also highlights that only 35% of small businesses have insurance in place to cover them in the event of a data breach. This should be taken into account whether you are using cloud technologies or not – in fact, if you are still using in-house systems it’s even more critical, I would argue. Your own office network is likely to be far easier to penetrate than a data-centre hosting your cloud software.
The Executive Summary of the PwC report can be seen here.
3. What about my internet connection?
This is about availability and, of course, it is critical. Even the most enthusiastic of advocates for cloud computing can’t get round the fact that you need a decent internet connection for it to be a practical approach. (Strictly speaking, you can operate hybrid solutions, but that’s comparitively expensive and potentially complicated and unlikely to be taken up by smaller organisations.)
Availability, though, can mean more than one thing. You can lose your internet connection, but equally your cloud services, like your website, can be the subject of a ‘Denial of Service’ attack, where someone basically fires so many requests to your server that it can’t cope and vanishes under the duvet.
Although these are mainly directed at larger sites, 15% of small businesses experienced such an attack in 2011, as opposed to 30% of larger organisations.
You need to think about business continuity. One major advantage of the cloud is that you can work from anywhere, so if disaster strikes you can find a public wireless network, or head back home, or to a coffee-shop, or wherever, and get back online. It may not be ideal, but it compares very favourably with the old days where the server needed to be repaired, backups restored and lost work regenerated – that could sometimes take days.
All of my ‘back-office’ systems are cloud-based: financials, CRM, project management, email and documents. If need be, I can do everything except development work on my smartphone. All of the data for the development work is online, but I prefer using a pair of nice big screens at my desk to do the actual work, so would have to revert to a small laptop screen in an emergency. However, I could still deliver my services.
4. What about the actual application?
If you are signing up for a ‘software-as-a-service’ (SaaS) solution, like an accounting package or a CRM, you might want to consider a couple of points. One of the big advantages of such a solution is that it is standardised across all users, and you will always be working on the latest version, without any maintenance load on you or your IT operation.
The downside of this is that you are not in control of the updates, and the pressure from other users might result in feature changes that don’t suit you.
As with all off-the-shelf applications, you will find it stuffed full of features that broaden the appeal of the software – clearly the providers want to maximise sales, so they will bung in every feature that they can in the hope that the largest possible user base will find what they need in there somewhere. The issue here (and this is not confined to cloud applications) is that for your specific business there will be a load of stuff you won’t use. You therefore need to consider the usability of the application when it comes to what you want to use it for.
Make sure you get a good opportunity for your users to test it – don’t just rely on the provider’s demonstration.
5. What about my users?
As mentioned above, it’s a sad fact that your users are a weak spot in security terms. Make sure that they are properly trained, not just in the use of the applications themselves (which will obviously improve their productivity) but also in general good practice from a security perspective.
This can mean getting a bit tough sometimes. Assume that you are insured for business continuity in the event of a systems breach. It may well be that if one of your staff clicks a link in an email and introduces CryptoLocker into your business that the insurer will refuse to cover you. That means that you need to ensure staff are properly trained, and have the appropriate disciplinary measures in place should they act negligently.
Also, tighten up your password policy – all the time I see people using their kids’ names or birthdays as passwords! Two-thirds of us apparently use short 6 to 8 character passwords, largely in lower-case. Sometimes, sites won’t let you get away with that, but many will. On top of that, people use the same passwords extensively across sites.
Now that there are free password managers available – things like LastPass – there’s no excuse for doing this any more. You can generate complex passwords very easily, and you don’t need to remember them – just don’t forget the master password that you set for the vault, otherwise you do have an issue!
I can’t establish the source of this information, and it may be completely wrong, but I recall reading somewhere that if you had sufficient servers working to crack a password, then 8 character passwords can be cracked in about 8 hours, whereas increasing to 10 characters would need over 3 years to crack.
So it makes sense to use sensible passwords – it may feel like a drag but as soon as you get into the swing of it, you have massively reduced the chances that your business will become a security statistic!
As I said at the start, when it comes to cloud computing there are dozens of questions that you could ask. I’ve picked five that seem to me to be important, and am always happy to talk through your individual situation – there is no ‘one-size-fits-all’ answer here, as every case is different. It depends on your business, your users, and a host of other things.
To talk through your requirement, get in touch with me by email here, or by phone on 01438 832724