How safe are my personal documents in the cloud?

Where is the best place to keep your personal documents, either as your primary place of storage or as back-up? These could include your ID, birth and marriage certificates; your will; bank and investment statements; utility bills; and even family photographs.

Thanks to technology we now have three options:

1. Physically, in paper form in a file or drawer in your home.
   
   
2. Electronically, on data-storage hardware in your possession, such as the hard disc drive on your computer, external hard disc drive, flash drive, or memory on your phone.
   
   
3. Electronically on a cloud-based internet storage platform.

How safe are the different storage options?

It turns out that storing your documents in the cloud is not only the most convenient of the three options listed above, seeing that you have access to them wherever you happen to be on the planet (with, perhaps, a few exceptions), but may also be the safest.

Physical documents and your computer, phone and external drives are subject to destruction, malfunction, loss or theft. Documents stored in the cloud are encrypted, meaning they are stored in a code that can only be deciphered using the correct access key.

Brandon Muller, technical expert for the Middle East and Africa region at the global technology security company Kaspersky, says cloud platforms such as Google Drive, Microsoft OneDrive, Apple iCloud and Dropbox are safe for personal documents if used correctly.

“Most mainstream providers encrypt your files in transit and at rest, and run security that far exceeds what a typical home setup can provide. In practical terms, the cloud will not be stolen with your laptop or fail because of a spilled drink, and providers keep multiple copies to prevent data loss,” he says.

Wendy Tembedza, partner at law firm Webber Wentzel, agrees that the cloud platforms themselves are secure.

“The risk of documents being accessed unlawfully on cloud platforms is closely managed, especially among the well-established providers. This is because they operate globally and need to be compliant with international data protection and cybersecurity standards,” she says, adding that you still need to consider a provider’s terms and conditions and understand their implications.

Where do the main risks lie?

The risks of online storage lie mainly in the interception of information and unauthorised access to your accounts, and these risks must be managed from your side.

Muller explains: “With standard cloud accounts, the service usually holds the encryption keys, which means your privacy depends on the provider’s controls and on your own account hygiene. Your most significant single risk is not ‘the cloud’ but account compromise or malware on your phone or PC that steals login tokens and files.”

Tembedza says you need to look at your own device security and have controls in place such as firewalls, strong passwords and multi-factor authentication (MFA). It’s also essential to verify the sources of incoming emails before clicking on links.

“From a consumer perspective it's a lot about vigilance about what documentation you are getting and from whom you are getting it. We are in the information age, and because we are relying on these electronic tools there is a lot more risk. You can never be fully protected, because the nature of the risk is evolving every day, but businesses and individuals need to regularly review the protections they have in place and assess whether they continue to be appropriate,” Tembedza says.

Muller says that for further protection you can encrypt especially sensitive files before uploading, and when sharing, set link passwords, expiry dates, and download limits.

What should I do if my phone is stolen or lost?

The Vodacom website says you should immediately blacklist your phone by contacting your cellphone network provider. This will block your phone from being used via the cellphone networks. However, it will not block your phone for someone using it via wi-fi.

Mark Walker, vice-president of worldwide telecom data and analytics at the International Data Corporation, says that if you have a “Find My Device” feature on another device such as a laptop, immediately de-authorise the lost phone and secure your cloud account by remotely logging out.

“Next, immediately change the password for your cloud account and any associated email accounts and revoke access for any third-party apps linked to your cloud account from that device. Of course, you should also report the device [to the police] as lost or stolen,” he says.

How safe is it to access the cloud on multiple devices?

Access from multiple devices means more potential entry points for an attacker, Walker says. “It is critical to control access and harden device security by using MFA to require two or more verification factors to access your account. Regularly check your cloud account's security settings page for a list of authorised devices and sessions. Remove any device you no longer own, use, or recognise and make sure each device has a strong, unique lock-screen password or PIN. Your cloud account password should be equally strong and unique from other services. A password manager is highly recommended to manage these complex passwords,” he says.

Also be aware, Walker says, that public-access wi-fi networks are highly vulnerable.

“The bottom line,” says Muller, “is you must treat your cloud account like a bank account – use a unique, strong password plus MFA, and protect your devices with an effective cybersecurity solution. Skip the basics and you are very much risking the safety of highly personal data.”

How can I avoid investing in a scam?

Does your password protect your savings and investments?