So, the industry is officially on notice, but it’s not alone. Detective Inspector van der Graaf estimates that half of all Government sites “are compromised” and he has some strong recommendations for any industry. “If you don’t need payment data (on the Internet), get rid of it,” he says. “If you can’t secure it, outsource it. Hire the right database administrator. Do an annual penetration test.” Where’s the data? Graham Sammells, IQ Business Group, also advocates proactivity, but on the part of the fund when it is selecting a cloud provider. “Look at the potential service provider,” he urges. “Ask questions about security encryption.” Typically, reliable cloud providers have more robust systems because they are under scrutiny from the large organisations in their client base. Further questions to ask are “Where is the data stored?” and “In which country?”, Sammells says. The IQ Business Group works with clients on three main areas: security, the vendor’s viability, and data loss. “It’s a different way of thinking,” he says. “Just as Amazon and eBay changed the way we shop, the cloud is changing the way we do business.”

If a fund’s member info is in the cloud, Sammells says, then there must be rigorous questioning: what is the degree of encryption, who has access to the data? Similar to many commentators in the industry – whether they are for or against cloud computing – Sammells says the main enemy is within, or through accidental breaches such as leaving a PC on the train with the spreadsheet still open. Pure Hacking’s Ty Miller has worked on numerous ethical hacking tests – external penetration, cloud, and internal – and says one of his main concerns is that many cloud providers are using virtualised systems that clone the client’s environment and data, which leads to privacy concerns. This leads him to recommend that the best solution is a dedicated server on its own network. The hosting company must also comply with the standards to which the organisation is compelled to be compliant. And, even if the cloud computing is on a dedicated server, Miller warns, the potential client must determine if that server is sharing a network with other servers.