How HR can manage the risk of cloud computing

Sophie Vanhegan , 10 May 2013

cloud computing

Cloud technology is the future for the business-world. According to KPMG, it’s now used by most organisations. However, with this new technology come new risks for company information security, and it is important for HR teams to ensure that they update company IT policies to adequately protect business interests.

What’s different about cloud computing?

Cloud systems are often different from the traditional IT infrastructure set up by a company itself because they are normally provided by a third party supplier, and so businesses do not have as much control over the cloud system as they would over their own IT infrastructure. 

For these reasons, cloud computing raises new risks for company information security. For example, it can be difficult to trace the web browsing history of an employee who views the internet inside the cloud (as they may be accessing web-based email to move documents outside the cloud), and it is often possible with cloud environments for documents to be copied within the cloud and then pasted outside it onto a personal desktop. 

Why does this affect HR?

For companies considering moving onto a cloud-based system (or for those who have recently done so), it is vital for their HR teams to ensure staff IT policies adequately cover the company in the cloud-era against the risks of employees removing company information for illegitimate purposes.

As a first step, HR should sit down with the IT team to ensure that they understand the technology and what is involved with the particular cloud system which the company uses or may use. If those explanations unveil potential information-security risks (such as those listed above), this may influence the company’s choice of cloud-service provider or its choice of additional services (such as an email archive). 

Ideally, businesses should start by implementing technology-based restrictions on what staff can do. For example, it is one thing to tell staff that they cannot send work emails to their private email accounts without permission, however it is much easier to prevent such email traffic in the first place using technology.

Turning to the staff handbook, HR should also check whether the following questions are covered adequately in any IT policy:


  • Does the IT policy make clear that emails and internet and general IT activity at work can be monitored?
  • When will the company use the cloud – for all IT infrastructure or only select applications?
  • Does the company allow employees to access personal webmail at work? Is access allowed inside or outside the cloud?
  • Are staff allowed to email themselves to their private accounts, for example to facilitate work outside the office?
  • Does the company allow employees to access cloud storage systems, such as Dropbox, at work? Does the company allow employees to put company information into such systems?
  • Can employees use personal devices for work purposes – for example, laptops or tablet computers, to log-in remotely?


It is also essential that the IT policy is clear about what is and isn’t company information and company property, and that this explicitly covers soft copy documents. 

To the extent that the company is prepared to allow employees to use personal webmail and personal cloud storage systems at work, in order to minimise the risks of illegitimate use of company information, the policy should make clear that neither should be used for work-related purposes without prior permission, nor should they be used to send or store company information outside of the company’s systems. 

Finally, the IT policy should also be supported by up-to-date confidentiality and company property clauses in the company’s employment contracts.

With the new possibilities that cloud computing raises for companies, it is crucial that businesses update their IT policies and employment contracts to help protect themselves from employee theft. With updated policies in place, these should form the basic building blocks to trace employee theft if it strikes.


Sophie Vanhegan is a senior associate at GQ Employment Law LLP

4 comments on this article

Your comment

Click here to comment

Clous risks

Veronica 10 May 2013

Great post, thanks for the insight, recently came across an comprehensive whitepaper on cloud risks while researching cloud security "Cloud risks Striking a balance between savings and security" it offers very good information,readers will find it very useful @ http://bit.ly/ZFPu1l


Jon Ingham, Strategic HCM 11 May 2013

"businesses should start by implementing technology-based restrictions on what staff can do"

Too much restriction promotes workarounds

Jo Dodds 13 May 2013

My thoughts too Jon! As I read through, apart from the obvious lack of trust issues implied, it struck me how starting with this sort of attitude promotes security issues as people create their own workarounds to enable them to get their jobs done. And that ends up defeating the object of the restrictions in the first place! Completely get that organisations need to think about their data security but not to the exclusion of getting the job done and trusting their staff to do it.

HR managers shouldn’t miss ticket to the cloud

Lee Grant, Youforce 15 May 2013

While security will always be a hot topic, the cloud is an on-coming high-speed train which shows no sign of slowing down; so we should all enjoy the ride. The Cloud has proven itself as an invaluable business tool for things like file and document sharing as well as CRM. Instead of letting the security implications surrounding The Cloud worry HR Directors (there is after all no evidence that the Cloud is any less secure than on-premise solutions) and slow down their drive towards next generation HR, HR departments need to focus on how they too can benefit from the Cloud. SaaS based HR solutions allow HR directors to manage activities more efficiently, empower employees to drive their own careers and provide CEO’s with the insight to drive company productivity and ROI. HR departments should by no means ignore the issue of security, but they shouldn’t stand still for fear of it. With the birth of new technologies – from the invention of the photocopier, USB key and now the cloud, there will always be new security implications. Those that try blocking new technologies or limiting their use run the risk of the train – driven by the adopters – running them over.

In this issue: August 2015
fragment image

Stand and deliver: Fresh austerity measures are on the way – but can public sector HR seize the strategic opportunity?

Eureka moment: HR at engineering firm AMFW

Going for gold: Maintaining the Olympic legacy

On the money: Providing innovative rewards

MA Business & Leisure Limited © Copyright 2015, All Rights Reserved