What we can learn from Sony, Moonpig and Taylor Swift on Cloud Security

Swift on Security

Information security topped the news agenda in 2014, for all the wrong reasons. We saw Sony fall prey last year to particularly vicious and well orchestrated attacks, costing the business $100ms, not to mention a significant loss of reputation globally. A little nearer home, the ‘half-arsed’ security measures of Moonpig were exposed by developer Paul Price, after the company failed to resolve a security glitch exposing the partial card details and personal data associated with 3 million customers. These are just the high profile stories. You know that online security has entered the mainstream when Taylor Swift starts tweeting on the subject*

With bad news stories like the above, is it any wonder that the most important question many customers want answered before setting (virtual) foot on the Salesforce platform, is this:

Is it secure?

Here’s some good news. Yes we can say that, by today’s standards, the architecture of the Salesforce platform is secure. In fact if you are an SMB with no time or capital resources to build your own bomb-proof on premise data centre then putting your data on an established platform is indeed the only way you can bring enterprise class security to your organisation.

The 78% of UK businesses now using cloud services are aware of the security credentials of the modern cloud platform . Indeed 11% of  businesses have adopted the cloud and all the benefits it brings in earnest and are now using four of more services. The trend to the cloud is ever upwards (pardon the pun..)

So what do these cloud-happy businesses know that their more cautious counterparts do not? In simple terms the key to security lies in your Cloud security policy not in your platform. It was the fact that there was no enforced security policy in place that led to Sony being so spectacularly hacked. In the words of one employee,

There was no real investment in or real understanding of what information security is…

Post-hack reports show that sensitive files were not encrypted internally or password protected. Would your business fall down here too? How about your policy on people leaving the company – what happens to their access to data once they are no longer employed by the business? If you operate a BYOD (bring your own device) approach, do you have controls over what happens if one of those devices gets lost or stolen?

These are just a few of the considerations. If you are wondering where to start, making sure that your security is up to scratch, we would recommend taking a look at these four documents (or five, if you process online card transactions) for starters.

1) Your existing data governance strategy

Whether you’ve adopted cloud or not, the goals and principles of data governance are the same: In brief, this is not just about storage, but about getting the right data to the right people. With this in mind, it’s likely that adopting cloud technologies will mean that most businesses can re-purpose their existing strategy rather than re-inventing the wheel.

2) The 1984 Data Protection Act

Not exactly a riveting read, but a necessary one. There’s no way round it, 30 years later it’s all here, and it’s all still relevant. So if you have responsibility for any kind of customer data collection for any purpose, you better get familiar with this document.

3) Data residency regulation specific to your industry

Highly regulated industries such as banking, or pharma, will need to pay careful attention to industry directives on data residency rules e.g. whether or not their data can leave the EU. In the past this was a thorny problem indeed for businesses on the Salesforce platform on this side of the pond. However, with the launch of the first European data centre in the UK in Oct 2014, and two more planned for Germany and France in 2015, this is one barrier to entry that is about to become a thing of the past.

4) Your business insurance policy

Sony Director of Information Security Jason Spaltro went on the record in 2007 with the following thoughts on the security loopholes in his operations.

I will not invest $10 million to avoid a possible $1 million loss

When all is said and done, the two hacks experienced by Sony last year will have cost the business around the $170m mark. The message? Make sure that your information security policy complies with the terms of your business insurance, as mistakes are expensive. If the worst does happen, you better make sure you are covered.

5) PCI Security Council Documentation

If your business involves collecting customers credit card data in order to process online transactions take a look at the guidance on the PCI Security Standards Council website. Everything you need to know regarding prevention, detection and reaction to security threats is there. Again, maybe not a fun read but an essential one.

So in summary keeping your employees, customers and business information safe in the cloud is a task that should not be underestimated. However, that’s not to say that you should allow security to discourage you from cloud adoption. Bear in mind that there are risks inherent to not adopting the cloud. The term ‘Shadow IT’ strikes fear into the heart of CIO everywhere as their frustrated employees bypass the IT department and start experimenting with unauthorised cloud based apps. The biggest risk of all is allowing yourself to be left behind by the competition as they reap the rewards that the cloud brings.

It’s worth bearing in mind one last point – At the heart of the modern day security breach, you’ll find a person, not a platform. It was a failure of policy that brought about the security failures at Moonpig and Sony.

What now?


Want to talk to someone about cloud security on the Salesforce platform? Get in touch, we are always happy to talk. Contact details are in the footer.

*Just FYI, we are not convinced that this is actually Taylor Swift behind these tweets.

 Next month

Valentine’s day is fast approaching, as we’ll be taking the opportunity to talk about managing relationships….



Swift on Security
By Amy Grenham
20 January 2015
SalesforceThe Good Systems Blog

Share this post

Catt to action

Amet aliquam id diam maecenas ultricies mi eget mauris

Lorem ipsum dolor sit amet, consectetur elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.