Is cloud software more secure than the desktop equivalent? It’s been a heated debate over the past eight years, and it’s often split along generational lines.

Some firms with sunk costs in servers and other tech infrastructure have been suspicious of putting client data in cloud-based applications or cloud storage. But mounting evidence suggests client files in the cloud are safer than the same files stored on desktops.

Deloitte New Zealand partner Anu Nayar leads the firm’s national cyber practice and cyber-incident response for NZ organisations. Of the more than 80 incidents he’s seen in the past 15 months, Nayar says: “While there have been incidents across both SaaS (software-as-a-service) and infrastructure within the organisation, there were definitely more cyber responses required with infrastructure under the control of the organisation than a SaaS provider.”

Not every hacker launches their attacks via the internet. “A physical attack is very simple and the strike rate is actually very high,” says Murray Goldschmidt from Sense of Security in Sydney. As well as the threat of theft to laptops and office servers, “an intruder can gain entry by ‘tailgating’,” Goldschmidt explains.

“Someone gets into the lift at the same time [as a staff member], gets off and walks into the office. If they’re unchallenged they can find a corner where they’re not observed and, once they are on the network, all your perimeter controls, your firewalls, are irrelevant.

“They don’t have to be there for very long. They can just get a tiny computer the size of a mobile phone and plug it in near a printer or under a desk, then remote-control that computer from the hacker’s office.”

That’s a problem you don’t have in a SaaS provider’s heavily fortified and access controlled data centre.

And there’s another indicator of the cloud’s superior security – reduced cyber insurance premiums for firms that have a majority of cloud-based client files.

“There is a reduction applicable to the risk profile. If we look at [the client files] and see they’re all on the cloud, they do get a discount,” says Rob Collyer, underwriting development manager at Nova Underwriting, which underwrites Accountancy Insurance. Fenton Green also gives a small discount on cyber insurance for larger accounting firms that use cloud software.

Google opened this €75 million data centre in Dublin, Ireland in 2012, and added another in 2016.

Cloud files are immune to ransomware

One reason for the discount is that client files stored in cloud accounting software such as Xero, MYOB Essentials and Intuit QuickBooks Online are effectively immune to ransomware attacks. 

Ransomware – software that encrypts a computer’s files until a ransom is paid – is one of the most effective and common cyberattacks on businesses globally.

In the US, ransomware cost small and medium businesses US$75 billion a year in 2015, according to Datto’s 2016 Global Ransomware Report. The average cost of a ransomware attack is US$133,000, security software company Sophos calculated in 2018. In Australia, the average cost of an attack to a business is A$276,323, according to Australian government figures.

However, ransomware needs to have access to a file to encrypt it. Files in the cloud are viewed through a browser; the files themselves are stored in heavily protected data centres operated by the software companies.

Accountancy Insurance associate director Karen McDonald says the insurer gives a 20% discount on its cyber-insurance policy to firms that go through the Practice Protect certification process. 

Practice Protect, which has a partnership with Accountancy Insurance, provides a platform and policies focused on data security for accounting firms. Firms using Practice Protect log into the security platform with one password to access all the software used within the firm, including software on desktop and local servers. The security platform itself is a cloud-based software.

But cyber insurance is struggling to keep pace with the dynamism of the cyber hacking community.

“If you’re insuring motorcars, every accident that could happen has happened. It’s been going for 50 years, and cars are getting safer with more computers in them,” says Drew Fenton, director of Fenton Green.

“When you look at cyber, the risks change on a daily, hourly, minute-by-minute basis. The risk of a global ransomware might only be for 48 hours then it dies away and something else comes along. And the bad guys are presumably getting better at it.”

“When you look at cyber, the risks change on a daily, hourly, minute-by-minute basis.”

Virtual servers can also suffer data breaches

“It is probably true that if your files are in a SaaS provider, and you have no offline version of them, then they are not subject to a localised ransomware attack,” says Adrian van Hest, PwC New Zealand partner and its national cyber leader.

But he adds that SaaS is vulnerable to other attacks such as staff inadvertently passing their passwords onto hackers by logging into fake tax portals, for example. Cloud software doesn’t stop someone signing in with the credentials of an authorised user.

Virtual servers (infrastructure-as-a-service or IaaS) are not inherently more secure either, says van Hest. Accounting firms often use virtual servers to store their practice management software in a remote data centre.

Stories of unsecured IaaS servers exposing thousands of customer details and client data are common. AusCERT, an Australian not-for-profit cybersecurity group formed in 1993, says that unsecured storage on Amazon Web Services is an ongoing issue.

Even website registrars such as GoDaddy have compromised customer data by failing to secure AWS S3 storage servers.

Nayar agrees: “If you don’t know how to get the right expertise to secure your files when you have control of a server, you’re not going to have the right level of understanding to procure cloud services that are secure either.”

The IT industry recognises that cybercriminals often outstrip the sector’s ability to defend against cyberattacks. Experts advocate a policy of minimisation rather than full protection, as no-one has infinite time or money to spend on security.

“The blanket solutions don’t work as effectively as they did a decade ago,” van Hest says. “Now we tell people to think carefully about their business and what is most relevant to you.”

For some businesses, their list of contacts is the most important thing. If this disappeared, it would materially impact their ability to function. For others, the loss of internet or the compromise of credentials to cloud software would be a greater risk.

“For accounting firms, it is the integrity of their client’s data and privileged data,” says van Hest. “The loss of that would be very damaging. We have seen organisations go out of business on the back of a compromise like that.”

So who is in a better position to protect client data – your firm or a cloud provider?

“Probably a cloud provider,” van Hest says. “It’s just economies of scale that someone like Xero would be able to protect their systems better than a single organisation.”

Compliance checks for cloud services

Does the cloud service:

• Encrypt your data at rest and in transit?

Cloud software sends data from a data centre to appear in your browser. If it isn’t encrypted during this transit, it can be accessed.

• Share your data with third parties?

Although not common, there are cases where business software shares data. Find out which data, who wants it and why.

• Securely decommission your data and assets if you leave?

Software companies may want to hold on to your data for benchmarking or trend analysis.

• Assign you the legal right to own your data?

Some software companies will take ownership of your data once you upload it to their service. 

• Have independent certifications?

There is a range of ISO standards that apply to data security. If you’re handing over sensitive data to a cloud service, it meeting those standards will provide a level of assurance.

Source: Anu Nayar, Deloitte New Zealand partner and national leader cyber, privacy and resilience.

Read more: