Smaller businesses often don’t have as much power to negotiate with cloud vendors, said Allianz’s Jenny Soubra. This makes it even more important for SMBs to carefully consider vendor relationships.
enny Soubra, US head of cyber for Allianz Global Corporate & Specialty spoke with TechRepublic’s Dan Patterson about why there’s significant risk in bringing vendors into a business. Here’s their conversation:
Patterson: Vendors are an increasingly important part of almost every company’s business. Vendors also can represent tremendous risk. So as companies expand and add little cogs to their wheel in terms of vendors and their relationship, what is the associated risk with adding additional vendors?
Soubra: Well there’s significant risk, and there’s two sides that we look at when we’re looking at vendor risk. There are the vendors that you bring on to provide services for you. So when you’re doing that you really need to look at what is in the contract, what are the terms around limitations of liability if something goes wrong on the vendor side that causes a loss of information or some sort of a privacy incident for the organization itself. We’re looking at indemnification provisions. Okay, something goes wrong, who is liable, who’s paying for it? Right? So there’s that piece of the vendor risks, so really evaluating the contracts, especially contracts that may have been in place for a long time.
When we’re looking at cloud providers, especially when we’re looking at the very large cloud providers, small companies don’t have the ability to negotiate the terms and conditions of those contracts. It’s a click-through agreement, you can take it or leave it. The cloud provider will give you the box. They say, “Here’s your box. Whatever you put in the box is your own responsibility. Even if we lose what’s in the box, it’s still your responsibility and we will take no liability for that.” So companies really need to consider what they’re putting out in the cloud.
So highly sensitive data, healthcare information, social security numbers, financial data, those sorts of things should not be stored in the cloud. Especially when the terms and conditions cannot be negotiated.