All the while the press has been focussing on the question of the privacy of individuals in the wake of the NSA revelations, little has been said of the plight of corporate data. If it is so easy for the NSA to access almost any data traffic over the internet, does it also expose companies that use private or public clouds as part of their IT strategy?
The nervous flow-on to the corporate C-suite, and even to small and medium enterprises, is already having an effect in Germany, of all places. Maybe it’s because of the outrage felt there when news that Chancellor Merkel’s mobile phone had been tapped by its major ally.
A PwC survey released only last week found that 22% of German companies now see the risk of using cloud services as ‘very high,’ up from 6% before the leak; 54% overall say that risk is ‘high or very high.’
Almost 40% said they were now looking at email encryption and 25% at encryption of mobile communications while another 15% want to switch to European tech providers that are not cooperating with American or British intelligence services. But how big the fallout will be is yet to be seen.
On the other side of the globe, IT security expert and author David Lacey said big business doesn't seem to care about IT security. Speaking at a CSO Perspectives Roadshow in Sydney Lacey claimed that business "doesn't care" about IT security and won't do anything about it "unless you put a gun to their head."
He should know, because he has more than 25 years experience in directing security policy and programs for enterprises such as Shell, Royal Mail and the British Foreign & Commonwealth Office. He said it would take a large IT security incident before businesses cared more.
It may be that the Snowden revelations that triggered increased security concerns in Germany had not filtered through to Australian businesses. Perhaps the news that its own agencies were complicit in NSA activities and accused of spying on its closest neighbors that has made them complacent.
As one colleague explained, “until a security breach bites them on the *** they will go on thinking everything is alright.” Lacey was right when he said, “Basically nobody does security until the auditors come around and tell you you should’ve done something years ago to meet that compliance standard which was set years before which is based on established practice which was developed even longer before.”
Maybe that ‘laissez-faire attitude’ is justified now that other reports that the NSA has been looking at data in motion - network traffic - between Google's data centers, have come to light. It claims this was justified because it took place outside the USA where the NSA is permitted to conduct these operations. The full implications have yet to unfold but Google may also suffer backlash form its customers, despite claiming ignorance.
Google has condemned this activity and has explicitly stated, “We do not provide any government, including the US government, with access to our systems.”
Great, but individuals and businesses rely on Google for lots of services apart from search. How secure do they feel when news like this is disclosed? What self-respecting CIO/CTO could state categorically that his corporate IT infrastructure is totally secure when his data, running across international boundaries, clearly is not.
German businesses have probably got it right – encrypt everything, trust no one!