A security breach is still considered the biggest risk in cloud computing by businesses and their suppliers, according to a new global survey by Norton Rose Group.

The outsourcing report, Outsourcing in a Brave New World, details the views of CIOs, general counsel and heads of procurement from 74 businesses globally, including technology and life science businesses, retail companies, financial institutions, transport, energy and infrastructure companies and the professional services sector, as well as suppliers themselves.

"It seems that customers are still concerned about the risks of cloud computing transactions," said Norton Rose Australia technology partner Nick Abrahams. "Customers' main concerns are security breaches, loss of control over data and loss of data. For financial institutions, compliance risks are also key."

While the cloud computing industry has grown significantly over the past three years, Abrahams said suppliers still need to convince customers that their data is safe. "Recent, well-publicised data breaches have not helped," he said.

The survey also found that customers are using lengthy due diligence processes prior to entering agreements, with 61 per cent of suppliers and 66 per cent of customers claiming that due diligence procedures have tightened in the last three years.

"Due diligence is particularly relevant for cloud computing. The results show that data security is the key risk driver for all customers," said Norton Rose technology partner Michael Park. "Due diligence processes have improved in the past three years, but customers need to develop a due diligence process that tests and evaluates suppliers against key risks."

According to Park, the only way for customers to be sure that a potential supplier is appropriate is to visit the supplier, use their system and carry out reference checks.

VIEW ALL

While companies are increasingly taking on responsibility for risks, such as project delay and data loss, opinion is sharply divided on whether the customer or the supplier should take responsibility for political/jurisdiction risk.

"The survey indicates that customers do not perform due diligence on supplier's staff, assuming that this has been done by the supplier. Recent security breaches, however, show that it takes only one person to cause a devastating reputational impact," said Park.

"Where a company puts any element of its business into the cloud, it must ensure that due diligence has been undertaken on the supplier's staff given that they may have access to data about the company and its clients."