Cloudy Thinking on Sensitive Corporate Data

It’s 3am in the morning, do you know where all your company data is? The chances are that some of it is in paper format around the office; some is stored electronically on PCs, shared drives and servers; and probably more than you expect is being carried around on employees’ personal devices or in their homes. A growing proportion of business data will also be offsite ‘in the cloud’. 

Cloud computing storage models sound ideal: it makes your treasury information easy to access and easy to share; storage space is unlimited and it’s low cost. However, there are security risks and other implications such as resiliency that need to be considered, especially when working with confidential financial records.

A survey of the finance sector conducted by Opinion Matters on behalf of Iron Mountain recently questioned 1,200 business leaders, including finance, IT and legal professionals, between late November and mid-December 2012. Focused on mid-sized to large businesses employing between 50 to 5,000 staff across the UK, France, Germany, Hungary, the Netherlands and Spain, the survey found that finance managers across Europe are concerned about the risks of placing sensitive data in the cloud. The concern centres around the security of data centres, listed as a top risk by 57% of respondents. 

Treasury peers in other sectors noted similar concerns. Yet despite claiming to be aware of the risks, the study found that in fact finance managers adopt a relaxed attitude when it comes to cloud storage, with more than a third (35%) believing the cloud to be appropriate for storing confidential accounts, invoices, insurance claims and tax records. This is compared with 32% of IT managers. 

A Wrong Assumption

What might explain this laid-back approach? One reason could be a lack of understanding about where responsibility for the data lies. The study showed that an overwhelming 88% of UK finance leaders believe that responsibility for the protection of their business data rests with the cloud service provider. This, however, is wrong: both the UK’s Data Protection Act and the European Union’s (EU) Data Protection Directive state that ultimate responsibility for security lies with the ‘data controller’ – the one deciding how and why the data is being stored and processed, and who is therefore accountable for any lost or compromised data.


Cloud storage offers many advantages that corporates can enjoy. It does not, however, replace the need for a comprehensive archive and backup strategy. Companies should take an approach that combines the benefits of cloud storage with the offline protection of magnetic tape technology.

While treasurers and finance managers should in no way be put off using the cloud, they should not do so indiscriminately. A lack of understanding of the risks associated with cloud storage can lead to ill-considered strategies that could expose businesses to data breaches and the associated financial and long-term reputational impacts. As the finance department is the lifeblood of any organisation, it needs to ensure that the business has done its research when it comes to the cloud. 

Finance professionals need to apply common sense to what data belongs in the cloud and what should be stored elsewhere. Most of all, they need to make sure they, and the business as a whole, understand and accept full responsibility for their information, wherever it is kept. This brings us back to the opening question. If you don’t know the where your information resides, now might be a good time to find out. 




Related reading