Many nonprofits who began working entirely remotely this spring found that they were in fairly good shape as an organization if they had already moved to a cloud-based system such as Office 365. Staff could work from home using reliable email, with video conferencing through Teams or Zoom replacing in-person meetings.
However, some organizations that use cloud-based file systems may be wondering how secure these online file storage systems are. They allow remote staff to collaborate from anywhere, and look up policies and documentation – but could they expose your organization to a data breach? Which is more secure, cloud vs local file storage?
What type of risks are involved in moving all company records to the cloud? How does a security-minded nonprofit address the risks and invest in good practices both in the technology itself and in staff training and support?
Cloud vs Local File Storage: Security
Typical files that don’t have privacy regulations associated with them are probably safer in a cloud-based system—where they’re being automatically backed-up—than on someone’s local (laptop/desktop) machine.
The comparison between cloud and on-premises file server is more nuanced.
One of the security benefits of having files on an on-premises server is that you have to be on-premises to access those records from a local network. But being on-premises is not something most of our customers are able to do during this pandemic, so organizations consider adding a VPN (Virtual Private Network) or an RDP (Remote Desktop Protocol) server to their networks to provide access to those files remotely. That reduces the security benefit of storing files on an on-premises server; it’s like adding doors to a fortress wall. You can create an additional layer of security to your VPN or RDP server by adding Multi-Factor Authentication (MFA) but you will need to maintain that extra layer of security to account for the extra layer of risk. And once you’ve opened those doors in the fortress wall, the on-premises server’s advantage over the cloud is neglible from a remote hacker’s perspective.
Moreover, if a hacker or state actor really wanted to get to your server on premises, they will probably be able to get into your office. It’s not that difficult to gain physical access to most of our offices, and most of us don’t think about that when we think about cybersecurity protections. If you are in a field where state actors may be targeting your nonprofit, you must consider physically secure offices in addition to cybersecurity.
Files that are regulated in some way, for example involving HIPAA or personally identifiable information, particularly medical information, are tightly regulated for the privacy and security of the owner of the data. Any files subject to HIPAA or other privacy laws such as GDPR need a system that is designed to protect that information and is built to be HIPAA compliant.
Staff should clearly understand that they must never store any regulated information in unencrypted files such as email, or share them through systems like Slack. Community IT recommends documenting such file privacy policies at the organization level, and spelling out training requirements during staff orientation and reiterating on an ongoing basis.
SharePoint is designed to allow HIPAA compliant use and can be used in a HIPAA compliant way. Out of the box it does not have all the controls enabled for HIPAA compliance, so you must be conscientious in adding those controls and maintaining a staff security training regimen. Your IT support should be able to set up these files and access in a secure way. If your SharePoint is not set up to be compliant, your staff must understand that they cannot store private records such as those regulated by HIPAA there.
You also need to invest in Cybersecurity Insurance, or consult counsel with experience in HIPAA/privacy laws. Disclaimer: Community IT are not lawyers and this article should not be considered legal advice. You should seek appropriate counsel for your own situation and in the jurisdiction where you do business. We highly encourage you to understand your legal rights and liabilities regarding any private data your organization stores, and to work with your broker to confirm that your cybersecurity insurance is tailored to your specific risk exposure.
Once you have ensured that any legally protected files are stored in a system that is compliant with regulations, you should understand the risks of storing other sensitive files in the cloud or on a local server. You need to evaluate the level of risk associated with sensitive information getting out and include that in your evaluation of the ROI of moving to the cloud and/or investing in cybersecurity.
Every organization has confidential information, which would be incredibly damaging if it were to get out. That information should not be stored in One Drive or Sharepoint. It should be stored in a very secure system with limited access and full staff training for people with access.
If you’re dealing with legal records, your organization should use a system designed for legal records, with purpose-built security controls. Don’t choose a general purpose system like SharePoint and then try to build a secure legal file system yourself. It’s not being in the cloud that makes general purpose systems less than ideal for these highly confidential files, it’s the lack of out-of-the-box industry-specific security control points.
Most organizations also have information that falls between the most confidential and completely public files. These files can be stored in a cloud system with some careful controls and training on access and security. A good example are proposals or grant applications. These are a somewhat confidential in the sense that some information in them could be sensitive, especially around prices, financial standing and project staff salaries. If that information were to get compromised, however, the impact would be relatively low.
And these documents may be semi-public in addition to being semi-private. They are going to be shared outside the organization, and once that happens there is little a nonprofit can do to ensure continued confidentiality. Often, these semi-private files are written through a collaboration of a group of staff who need relatively easy access. Utilizing a cloud system but regularly training on security practices is a good approach. Keeping semi-private files in Sharepoint, which is secured in a variety of ways, and using multifactor authentication, is a system Community IT recommends.
Bottom Line on Cloud vs Local File Storage:
Make it part of your cybersecurity plan, and don’t skimp on the training
It’s important to think about all of your information from a security perspective. Most of us would not say “Well, we’re going to move all our work to the cloud and not require training on security,” but often that is what our policies inadvertently do.
It’s important to examine every new technology from a security and usability standpoint as you implement it, and to develop staff security training as appropriate. This includes all your collaboration platforms such as Teams, Slack, and Zoom.
Some organizations get nervous about putting their information in the cloud fearing an increased risk of compromise. But the truth is that on-premise systems, create so many obstacles that staff rely on workarounds that actually create more risk.
So which is more secure, cloud vs local file storage?
The reality is that files stored on a staff person’s local machine or on a local server are probably as much or more at risk as files that are being stored in a secured cloud location like SharePoint or Dropbox. There’s a lot more insecurity in older systems where, for example, a staff person may need a file at home to work on, so they email it to themselves. The email itself is not a secure method of getting a file. They go to their home computer, they login, download it to their personal computer and start working away on it, eliminating any security benefit of a physically secured local file server.
With data in the cloud, you can access it from anywhere. You can also easily protect it with multifactor authentication. Cloud-based systems can be secured remotely, which can be an enormous advantage in times of physical disasters such as a flood or fire, or cyber disaster such as a hack attempt.
Ready for IT support you can depend on?
Many times in this article we have emphasized the importance of having documented cybersecurity policies, and in investing in staff cybersecurity training. It is a top priority at Community IT to work with our clients to keep their data secure, whether it’s local or in the cloud.
Our process is based on 25 years of exclusively serving nonprofits. Our technicians have certifications across all major platforms, and we constantly research and evaluate new solutions to ensure that you get cutting-edge solutions that are tailored to the needs of your organization.
We regularly present webinars at Community IT about nonprofit technology issues, and we work hard to keep our nonprofit technology community informed and engaged in best practices, including this IT support for nonprofits guide.
If your organization needs implementation support to help your cloud-based system work better for your needs, or if you are contemplating a new system, or have other cybersecurity needs to assess, let’s talk.