IT security professionals have a saying – “either you have been data breached or you just do not know that you have been data breached.” This is based on fact – a PwC survey found 93% of large UK companies (76% of small companies) suffered a data breach in 2012.
In October 2013 the European Parliament approved new data protection regulation, likely to become law in late 2014. Organisations will be required to notify their national data authority of serious data breaches within 24 hours and fines for non-compliance are massive – up to 5% of worldwide turnover. Identifying, containing and remedying a breach within a limited timescale will almost certainly require expensive specialist help – notifying (and potentially compensating) those affected could be ruinously expensive. The USA has had similar regulations in place for some time which has driven the growth of “CLIC” (Cyber Liability Insurance Cover). This will soon become a “must have” for all businesses and more information can be found here and here.
Organisations do not only have to be wary of criminals – the revelations of whistle-blower Edward Snowden concerning the extent of US government snooping has focussed the attention of industry giants such as Google, Microsoft, Apple and Yahoo on the security of their data. Revelations that the NSA had been tapping directly into fibre optic cables demonstrates the impossibility of locking down a worldwide network of data centres, many of which are linked via third-party infrastructure. If it is impossible to prevent eavesdropping, the only solution is to ensure that the listener hears gobbledegook – i.e. encryption.
Google’s chairman, Eric Schmidt, recently said “The solution to government surveillance is to encrypt everything.” Microsoft has vowed to use “best-in-class industry cryptography.” The suspicion that US-produced software might contain hidden “back doors” to allow the NSA covert access is likely to disincline foreign governments from buying Microsoft software, hence Microsoft has instigated a “Government Security Program” which allows foreign governmental bodies to inspect Microsoft source code and verify it is free from deliberate security flaws.
Even computer hardware is not free from suspicion – in 2005, Beijing-owned Lenovo bought IBM’s pc division. Allegedly MI5 and the CIA will not use Lenovo products due to a suspicion that they contain hidden access. Lenovo is currently seeking to buy Motorola’s smartphone business from Google a move which might be blocked by a secret meeting of the Committee on Foreign Investment in the U.S.
Data security seems to be following the model of household security, i.e. it is near impossible to prevent a determined thief from breaking in – all you can do is make it sufficiently hard work that they look elsewhere.