Stuck in the middle - How do SMEs work with their cloud service providers?
The use of cloud services continues to rise, with businesses and home users benefiting from the cost savings, access to additional technologies and the ease with which they can collaborate and share.
However, with this comes an increased complexity in the number of stakeholders there are in supply chains and the regulations and legal protections that frame how we interact with our suppliers and customers.
Some great examples of this are:
- How do we know that our suppliers are making the right level of security investment?
- What is the division of responsibilities (legally and technically) in our new system?
- How do we now respond to compliance questions?
From the perspective of the smaller company, these questions are particularly challenging. If a business is not a technology expert and they’re outsourcing their IT use to a third party, how do they know what to ask for and whether their agreements provide what they need? It’s a catch-22, because in attempting to reduce the costs of staying competitive and adopting new technologies, businesses find themselves in need of support translating specifications and matching them to requirements. The irony is that the biggest knowledge gap companies need to fill to make these cost-saving decisions doesn’t tend to be about technology – they need to understand what they’re being promised; they need someone to translate the legal part of the agreement. Also, the small company needs to distinguish between multi-tenancy and single-tenancy environments. Multi-tenancy environments tend to offer the most in terms of cost savings but less in terms of flexibility. For the purposes of this discussion, we are talking about multi-tenancy cloud offerings.
These days, people’s intuitive reaction, when they see discussions about cloud services and what to ask for, is to head towards their concerns about GDPR, but the GDPR is only one regulation and businesses need to think about other factors:
- Are there other regulations that they need to be aware of, perhaps that aren’t obviously linked to technology use, or that are sector specific? For example, financial services regulations may have restrictions over cloud adoption minimum criteria. Also, operators of critical services (for example, utility companies) fall within the ambit of the Network and Information Systems Regulations which require them to implement appropriate and proportionate technical and organisational measures to manage the risks posed to the security of any network and information systems on which their services rely.
- What are their existing contractual duties and obligations that a business needs to fulfil when they’re choosing a supplier and how will the suppliers’ terms limit how they can respond to compliance questions on future bids? For example, a small software as a service provider contracting with a big customer may sign up to quite extensive security audit provisions. These may also cover the provider’s subcontractors downstream – can the provider impose these on its downstream cloud providers who are likely to be large utility-like organisations like AWS or google? Highly unlikely in reality, so it leaves the small provider stuck in the middle.
- How do we plan our own development roadmap, when our contracts make us dependent on the service provider's roadmap? A consequence of standardisation in cloud computing (with much less frequent bespoke software solutions) has been a relinquishing of control by businesses over any changes to the services which they purchase. It will now often be the suppliers that "own" the development roadmap for the services they supply to many customers. Businesses therefore need to consider how they get transparency over planned changes and how they respond to changes that do not suit their business or allow them to comply with regulatory requirements or their existing contractual duties. Cloud providers do not offer the same fully customised systems SMEs are used to!
- How does nominating a cloud service provider alter internal policies and staff training requirements? While outsourcing our technology use allows businesses to hire fewer IT specialists in-house and to avoid owning so much equipment, we don’t outsource the people who have to use the IT system. As our people, with the pressures that we put them under, are often the most vulnerable part of the system, outsourcing IT means businesses still need to retain some budget for training staff in how to use the new system in the way it was intended and in compliance with cyber security policies. A lack of training can also make the costs of using a cloud platform unmanageable – businesses might have to adapt their processes to fit the standard build of a cloud product.
- What are the consequences of changing how we budget and pay for IT services? Usage-based payment models offered by suppliers can be potentially beneficial however using such model can carry a risk if the usage of the services by the business exceeds its budgeting. One of the key risks here is storage. If the business is required to pay extra for more storage, it needs to have in place policies to control increases in storage of data. Duplicate records will become a direct cost as well as an inconvenience. Businesses will need to think about how long they really need to keep information.
- How much will we have to change the way that we work? Businesses are used to ICT being designed bespoke to meet their business processes but cloud computing solutions are generally not tailored for individual customers. Businesses need to design and adopt processes and policies that make the best use of the cloud service as it stands.
- Is a supplier confident enough to make it easy to leave? If a business is assessing whether to place their most critical functions and most sensitive assets with a third party, then it's not enough to think about how to make it work... In fact, one of the most important roles of a contract is to provide the framework for what will happen when a relationship goes wrong, the customer's needs have changed, or the software has evolved and pivoted away from the functions a customer needed. What things do customers need to understand? How long is everyone locked in for? What guarantee is there of uptime, quality and consistency of service? What provisions are there for backing up and returning data? How much support will the supplier offer their customers during this process?
Using cloud services isn't necessarily any more risky than a business' pre-existing IT provision for an SME, but the risks are likely to be in different places. Inevitably, there are some risks to multi-tenancy cloud platforms, because the services are less mature than the IT outsourcing equivalent. Knowing which risks an SME is accepting is all about understanding the implications of the contract that they are offered.
From a cloud supplier’s perspective, it’s important to understand what a small business is experiencing:
- Regulations are expensive to react to and so services that have a demonstrable level of compliance will simplify an SME’s task. For example, if you offer call centre technology, it may be necessary to be able to show that the technology is payment card industry (PCI) standards compliant in how payment card details are handled, secured and retained.
- Customers often have a different definition of 'easy to use’. Support plays an enormous role in how well a product is received, because when transitioning to the cloud businesses are giving a supplier a far greater level of control over their systems than they would have in previous configurations. Businesses can't afford to be dependent on services that don't work, so the level of customer support available needs to be proportionate to the amount of system control a cloud supplier retains.
- The hidden compromise when SMEs transition to cloud services is that they lose access to technical knowledge when things go wrong. For example, if your customer has signed up to notify their customers of breaches within a fixed delay then they need the expertise to be able to describe what that breach is, the impact it is having, etc. When SMEs outsource the day-to-day IT operations, they often forget that those experts are also on standby to help produce this information when something goes wrong. If a cloud provider describes the processes in place to investigate within their systems, provide timely information and possibly even provide expertise, then they're de-risking the choice to migrate to the cloud.
- SMEs get stuck in the middle – their size gives them limited bargaining power, meaning that both customers and suppliers think it’s okay to insist on inflexible Ts&Cs. The problem is that the terms that the customer wants the supplier to comply with are often difficult to achieve. They are the things that their cloud suppliers want to exclude from their terms to make their lives easier! For example, suppliers will want to minimise the ability to make bespoke changes to the service, but the SME’s customer might want it to have a specific feature set. Or another example is that suppliers will want wide discretion to suspend services or remove data if they consider the integrity or security of the system is at risk. The SME’s customer will be extremely resistant to such a carte blanche approach.
So, what can we learn from thinking about the adoption of cloud services from both the supplier’s and the small business customer’s perspective?
What looks like a simple choice for a small business actually comes with a lot of complex legal considerations. When companies innovate products for an SME marketplace, it might not be the product that holds back sales – sometimes tweaking what you’re promising customers in the small print can make a difference. And, if you need good technology, or to find innovative ways to attract more customers to your platform, you might actually be looking for legal expertise!
This article has been written in partnership with cyber security expert, Emma Osborn, of OCSRC.