Most Small Businesses Not Following Cloud Storage Regulations

A new survey shows more than three in five (60 percent) small businesses putting customer credit card and banking information in cloud storage are not following mandatory industry regulations.

The Clutch survey included 300 IT decision makers at U.S. small businesses currently using cloud storage. Two industry regulations – the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) – are required for businesses that store banking information or medical data. Businesses found to be non-compliant with these two regulations can be fined millions of dollars.

Clutch’s Riley Panko

Riley Panko, senior content developer and marketer at Clutch, tells Channel Partners that small businesses may not be aware of these industry regulations, or at least not aware of the severity of the consequences for non-compliance.

“Small businesses storing sensitive data absolutely must be made aware of regulations such as PCI DSS or HIPAA,” she said. “There is perhaps an opportunity for cloud storage providers to provide more knowledge of regulations — are these small businesses automatically complying by storing their data on the providers’ servers? Even if compliance is automatic, small businesses should be aware of the regulations and the necessary steps for compliance.”

Despite the risks, nine in 10 (90 percent) small businesses are either “very” or “somewhat” confident in their cloud storage’s security, a 3 percent increase from 2016.

“While more than half of these small businesses storing sensitive data say they don’t follow industry regulations, there is a positive trend — over half of all small businesses are using encryption (60 percent), two-factor authentication (53 percent) or employee training (58 percent) to protect their data in the cloud,” Panko said. “These additional security measures are often what is required to be compliant with regulations. While small businesses may not fully understand the industry regulations, the popularity of these additional security measures shows that they are at least taking some strongly positive steps towards securing their data in the cloud.”

Ghazanfar Ghori, chief technology officer of software and mobile app development agency 10Pearls, said some small businesses’ security measures aren’t used effectively. For example, a company password policy, requiring complex passwords with regular updates, can be compromised by negligent employees.

“People will write (the new password) down on a sticky note instead and stick it on their locker,” for everyone to see, he said.

Companies should strive for seamlessly integrated security plans to minimize employee error, Ghori said. Security measures such as two-factor authentication and encryption cannot be compromised easily by employee error.

“The strongest benefit of compliance is perhaps the assurance of a business’ integrity,” Panko said. “If your data is hacked and sensitive customer data is compromised, those customers are sure to be upset or enraged. This is especially true if the customers find that your small business wasn’t compliant with basic regulations; however, if you follow regulations to the letter and are still hacked, some of that blame can be shifted — the hackers were smarter than the regulations. Your business did all it could.”