Small to medium-sized businesses (SMBs) risk data security if they use free cloud storage, but nearly 25% still do, despite warnings from industry experts. In addition, new findings reveal that 11% of SMBs are storing banking information and 14% are storing medical records in free cloud storage. The data comes from a new survey by Clutch (clutch.co), a B2B ratings and reviews firm.

Storing sensitive data in free cloud storage is an ill-advised and irresponsible business practice since necessary security measures are often lacking, according to cloud experts interviewed for the report. Businesses that store banking or medical information are required to comply with the Payment Card Industry Data Security Standard (PCI) or Health Insurance Accountability and Portability Act (HIPAA).
“If you need to be HIPAA compliant or PCI compliant, you should be using the highest level of security that you can obtain, and usually that’s not present on most free cloud storage accounts,” said Jeff Alerta, director of Technology at Inverselogic, Inc, a technology and web solutions company.

SMBs have high faith in the cloud’s security, with 87% saying that it is either very or somewhat secure. Despite this, though, security is still the top consideration for SMBs shopping for a cloud storage provider.

Mark Estes, regional director of Sales at Qubole, a self-service platform provider for big data analytics, says that this relates back to the behavior of the users themselves: “You have the people [who] agree that the cloud is secure. But they also understand the caveat that it is only secure if you use it in the correct manner… There are a lot of things that go into how you secure the cloud.”

Overall, experts emphasize that a cloud storage service’s security doesn’t matter if its users aren’t trained properly. The weakest link is typically the user.

“I recently did some penetration testing for a financial company,” said Jacob Ackerman, CEO of SkyLink Data and Business Services, a hosting provider. “Our job was to determine weak points. We used a fictitious email address and I was able to get their CFO’s password with a spear phishing attempt within 15 minutes. So from that point forward, who cares how good your encryption is?”

The survey is the 2nd annual iteration of Clutch’s Small Business Cloud Storage Survey, and included 293 SMBs who use cloud storage services. All businesses have 2-500 employees.