Many nonprofits who have begun working entirely remotely found that they were in fairly good shape if they had already moved to a cloud-based system such as Office 365. Staff could work from home using reliable email, with video conferencing through Teams or Zoom replacing in-person meetings.
However, some organizations that use cloud-based file systems may be wondering how secure these online file storage systems are. They allow remote staff to collaborate from anywhere, and look up policies and documentation – but could they expose your organization to a data breach? Which is more secure, cloud vs local file storage?
What type of risks are involved in moving all company records to the cloud? How does a security-minded nonprofit address the risks and invest in good practices both in the technology itself and in staff training and support?
Cloud vs Local File Storage: Security
Typical files that don’t have privacy regulations associated with them are probably safer in a cloud-based system—where they’re being automatically backed-up—than on someone’s local (laptop/desktop) machine.
The comparison between cloud and on-premises file servers is more nuanced.
One of the security benefits of having files on an on-premises server is that you have to be on-premises to access those records from a local network. But being on-premises is not something most of our customers are doing any more. If you do still have an on-premises server, consider adding a VPN (Virtual Private Network) or an RDP (Remote Desktop Protocol) server to their networks to provide access to those files remotely. You can create an additional layer of security to your VPN or RDP server by requiring Multi-Factor Authentication (MFA) but you will need to maintain that extra layer of security.
Moreover, if a hacker or state actor really wanted to get to your server on premises, they will probably be able to get into your office. It’s not that difficult to gain physical access to most of our offices, and most of us don’t think about that when we think about cybersecurity protections. If you are in a field where state actors may be targeting your nonprofit, you must consider physically secure offices in addition to cybersecurity.
Privacy Regulations
Files that are regulated in some way, for example involving HIPAA or personally identifiable information, particularly medical information, are tightly regulated for the privacy and security of the owner of the data. Any files subject to HIPAA or other privacy laws such as GDPR need a system that is designed to protect that information and is built to be HIPAA compliant.
Compliance can be a very complicated process to go through and requires the correct policies, processes and platforms to work. The Microsoft Cloud platform includes the necessary compliance certifications for HIPAA and GDPR, but organizations need to also do the work themselves.
Google Workspace also provides guidance and certifications on HIPAA and GDPR compliance.
Staff should clearly understand that they must never store any regulated information in unencrypted files such as email, or share them through systems like Slack. Community IT recommends documenting such file privacy policies at the organization level, and spelling out training requirements during staff orientation and reiterating on an ongoing basis.
SharePoint is designed to allow HIPAA compliant use and can be used in a HIPAA compliant way. Out of the box it does not have all the controls enabled for HIPAA compliance, so you must be conscientious in adding those controls and maintaining a staff security training regimen. Your IT support should be able to set up these files and access in a secure way. If your SharePoint is not set up to be compliant, your staff must understand that they cannot store private records such as those regulated by HIPAA there.
You also need to invest in Cybersecurity Insurance, or consult counsel with experience in HIPAA/privacy laws. Disclaimer: Community IT are not lawyers and this article should not be considered legal advice. You should seek appropriate counsel for your own situation and in the jurisdiction where you do business. We highly encourage you to understand your legal rights and liabilities regarding any private data your organization stores, and to work with your broker to confirm that your cybersecurity insurance is tailored to your specific risk exposure.
Confidential Files
Once you have ensured that any legally protected files are stored in a system that is compliant with regulations, you should understand the risks of storing other sensitive files in the cloud or on a local server. You need to evaluate the level of risk associated with sensitive information getting out and include that in your evaluation of the ROI of moving to the cloud and/or investing in cybersecurity.
Every organization has confidential information, which would be incredibly damaging if it were to get out. That information should not be stored in One Drive, Sharepoint, or Google Drive. It should be stored in a very secure system with limited access and full staff training for people with access.
If you’re dealing with legal records, your organization should use a system designed for legal records, with purpose-built security controls. Don’t choose a general purpose system like SharePoint or Google Drive and then try to build a secure legal file system yourself. It’s not being in the cloud that makes general purpose systems less than ideal for these highly confidential files, it’s the lack of out-of-the-box industry-specific security control points.
Semi-Private Files
Most organizations also have information that falls between the most confidential and completely public files. These files can be stored in a cloud system with some careful controls and training on access and security. A good example are proposals or grant applications. These are a somewhat confidential in the sense that some information in them could be sensitive, especially around prices, financial standing and project staff salaries. If that information were to get compromised, however, the impact would be relatively low.
And these documents may be semi-public in addition to being semi-private. They are going to be shared outside the organization, and once that happens there is little a nonprofit can do to ensure continued confidentiality. Often, these semi-private files are written through a collaboration of a group of staff who need relatively easy access. Utilizing a cloud system but regularly training on security practices is a good approach. Keeping semi-private files in Sharepoint, which is secured in a variety of ways, and using multifactor authentication, is a system Community IT recommends.
Data Retention Policies and Practices
Many nonprofit organizations have records they are required to store, such as board minutes, nonprofit charter documents, organization governance policies, and others. If you are storing these essential policy documents electronically, there are two things to consider.
You want to make sure that you are doing backups and can restore from backup. In the event of a ransomware attack, your data could become unavailable as the hackers hold your systems and data for ransom. If your files are backed up regularly and you can restore from backup, theoretically you would not have to pay a ransom to get them back.
However, if the hackers have both your data in the cloud and your backup in the cloud, you are still vulnerable. So ensuring that your backup is separate is essential. You may want to periodically back your essential files up to an external hard drive in addition to any cloud-based backup. And in addition to that, you may want to print out a hard copy of essential phone numbers in the event of a cyber attack. Your insurance broker, your IT director, your major vendors all have resources that can help you recover. You should alert them immediately in the case of a cyber incident.
If you are keeping essential documents in hard copies on-premises, or in an on-premises server, you probably still want to have an electronic backup in case of a flood or fire. Your data retention policies should be documented and are one of these essential documents that you need to backup.
Bottom Line on Cloud vs Local File Storage:
Make it part of your cybersecurity plan, and don’t skimp on the training
It’s important to think about all of your information from a security perspective. Most of us would not say “Well, we’re going to move all our work to the cloud and not require training on security,” but often that is what our policies inadvertently do.
It’s important to examine every new technology from a security and usability standpoint as you implement it, and to develop staff security training as appropriate. This includes all your collaboration platforms such as Teams, Slack, and Zoom.
Some organizations get nervous about putting their information in the cloud fearing an increased risk of compromise. But the truth is that on-premise systems create so many obstacles that staff rely on workarounds that can actually create more risk.
So which is more secure, cloud vs local file storage?
The reality is that files stored on a staff person’s local machine or on a local server are probably as much or more at risk as files that are being stored in a secured cloud location like SharePoint or Dropbox or Google Drive.
There’s a lot more insecurity in older systems where, for example, a staff person may need a file at home to work on, so they email it to themselves. The email itself is not a secure method of getting a file. They go to their home computer, they login, download it to their personal computer and start working away on it, eliminating any security benefit of a physically secured local file server.
With data in the cloud, you can access it from anywhere. You can also easily protect it with multifactor authentication. Cloud-based systems can be secured remotely, which can be an enormous advantage in times of physical disasters such as a flood or fire, or cyber disaster such as a hack attempt. And cloud-based systems can be managed at a granular level by your IT team, allowing easier on-boarding and more secure off-boarding to cut off access to former staff. If you have taken the right security precautions, cloud vs local file storage will both be secure.
Ready for IT support you can depend on?
Many times in this article we have emphasized the importance of having documented cybersecurity policies, and in investing in staff cybersecurity training. It is a top priority at Community IT to work with our clients to keep their data secure, whether it’s local or in the cloud.
You can download our Guide to Remote Work: Microsoft SharePoint and Teams for more tips here.
Our process is based on 25 years of exclusively serving nonprofits. Our technicians have certifications across all major platforms, and we constantly research and evaluate new solutions to ensure that you get cutting-edge solutions that are tailored to the needs of your organization.
We regularly present webinars at Community IT about nonprofit technology issues, and we work hard to keep our nonprofit technology community informed and engaged in best practices, including this IT support for nonprofits guide.
If your organization needs implementation support to help your cloud-based system work better for your needs, or if you are contemplating a new system, or have other cybersecurity needs to assess, let’s talk.