Seven years ago SI published a short article that stated if your data isn’t immediately accessible online, either behind your firewall or behind someone else’s firewall or in the cloud, when your employees need it, then they are going to download it to their machines. If their machine is a laptop, and the data is not securely encrypted, and the laptop is stolen then … it could cost your organization 1 million (or more) based upon research conducted by ZoneAlarm. There were a host of reasons for this including fraud costs (if financial information was stolen), lawsuits (if personal data was stolen), market loss (if trade secret data was stolen and sold to your competitor who then got a jump start on a competing product), and so on.
However, GDPR has upped the cost of a breach. Given that a single violation could result in a fine equal to 4% of your organization’s annual revenue, that could be a 4 Million, 40 Million, or even a 400 Million fine. And it’s not unreasonable to think that the EU could slap that size of a fine on you if you didn’t have any controls or policies around personal data and didn’t even notice when a junior HR employee decided to download your entire corporate directory to his laptop to do “statistical processing” on the weekend, didn’t bother to even encrypt the data, left the laptop at the bar where he stopped for a drink on the way home, where it got stolen, and the entire corporate directory, complete with SIN numbers and banking information, ended up on the dark web Saturday morning.
But if your data is online 24/7, and all of your applications your employees need to process that data is online 24/7, then they have no need to download the data, and if it’s easier to do it online than download, they won’t even try.
And don’t say its insecure to put your data and applications online. Don’t forget that as long as you have an internet connection coming in (and you do), your data is online whether you like it or not, and if the appropriate security precautions aren’t in place, any script kiddie who wants it can get it.
And unless you are an IT SaaS solutions provider, chances are your internal security controls are not as strong as the security controls the provider has put in place. Offering data and application security is part of their core business, it’s not part of yours. You can be sure they have strong encryption in place, multiple firewalls, DDoS detection capability, deep logging capability, penetration attempt detection, and other security controls that you likely don’t have.
Also, modern SaaS providers support private database instances (so if someone hacks your competitor, you don’t get hacked), private application instances (on your own private virtual machine that can be configured to only be access through your own private VPN), and deep security controls around users and roles.
So unless you plan on going 100% offline, and keeping all your data on machines only accessible on servers in highly secure facilities surrounded by Faraday cages, it’s probably safer for your organization to go 100% online.