87 percent of SMBs believe the cloud is very or somewhat secure, according to a survey from Clutch.
87 percent of SMBs believe the cloud is very or somewhat secure, according to a survey from Clutch.

A significant percentage of small- to mid-sized businesses (SMBs) are taking advantage of the convenience and cost savings afforded by free cloud storage solutions, according to a new study from Clutch. But the safety of stored information, particularly financial data and health records, is a risk for enterprises lacking controls.

The Washington, D.C.-based B2B ratings and reviews firm just released its second annual "Small Business Cloud Storage Survey," which found that SMBs rank security as their top priority when shopping for a cloud storage provider.

And, according to respondents of the survey, which queried nearly 300 SMBs that use at least one cloud storage solution, 87 percent of SMBs believe the cloud is very or somewhat secure.

So why would SMBs rank security as a priority when shopping for a solution when they already regard the cloud as secure? The study determined that there are some misperceptions regarding cloud implementations owing to its complexity as well as how users interact with it.

The consensus is that this is such a new technology that not many users have much expertise in its capabilities and options. The security of data housed in the cloud can depend on how users operate.

"In the end, it doesn't matter if you have every finishing touch to your cloud storage's security – because the biggest threat to cloud security is human error," the report stated.

Citing an example that illustrated how easy it was for a pen tester to obtain a CFO's password using spear phishing, one danger shown was that encryption might not matter if an attacker has a user's password. At that point, access to the system is granted to the attacker because it received the appropriate credentials.

The solution, said one expert, is to implement dual-factor authentication. The point is that for all of the cloud's bells and whistles, the human factor – how users interact with the technology – is the determining factor.

That's particularly pertinent owing to the plethora of regulations – such as HIPAA and PCI – that demand enterprises adhere to criteria to assure the protection of user data.  Experts point out, however, that despite these requirements a number of SMBs are not compliant with them.

Free cloud storage, the study found, can be appropriate for storing information in some situations. But, the danger comes when medical records or customers' financial information is involved. The study found that 14 percent of SMBs are storing medical records and 11 percent are storing bank card information in their free cloud storage.

Experts agree that this is inappropriate as free cloud storage does not include the highest level of security and so clashes with compliance requirements. 

"On the surface, paid cloud storage allows for a greater variety of files to be stored and a longer retention rate (so you can access previous versions of saved files from much longer ago," Riley Panko, a marketing analyst at Clutch, told SC Media on Friday. "However, paid cloud storage also offers features, such as user authentication, that allow for greater management of user access, where you can enable and disable access to files for certain users."

This is important for security and privacy, she said. 

Plus, she also pointed to the fact that regulations such as HIPAA carry hefty fines if violated. "Storage providers are unlikely to sign a BAA [Business Associate Agreement] that is typically required for HIPAA if they are simply a free user, given the implications of contractual violations," Panko said.

Free cloud storage can work for certain small businesses, she explained. "If your data will not compromise your company if lost and you do not have to follow a regulation such as PCI or HIPAA, then it's fine," she said, adding that free cloud storage offers a high enough level of security for non-critical information. "However, experts enthusiastically agree that paid is the way to go if you are storing any type of sensitive data."