Government Spying; What About Canadian Business Data?
By Claudiu Popa | June 1, 2013
The ongoing disconnect between government surveillance and civil liberties will continue to make the news in the weeks to come, but not much is published about the impact of all this surveillance on businesses, especially ones not located on U.S. soil.
In a recent article I mentioned a surveillance program created in the 1960s and the fact that despite its initial intention to intercept individual and military communications, its role gradually shifted towards industrial espionage and economic surveillance.
Today, no government has the computing power to store and analyze all the traffic that is traversing the Internet routers every second of every day. However, much of the data that falls into their traps, is stored in the cloud and exchanged via email is inevitably of a business nature. Heck, some of it may belong to your business.
So what can you do about it?
The first step is to evaluate the risk to your organization, and that means answering 3 simple questions:
- How much of your corporate data is of a sensitive and confidential nature?
- Most organizations have classified between one and 15 per cent of their data as confidential and the number varies wildly depending on your industry sector an the nature of your business. How much of your overall data would actually create embarrassment, liability or lead to a breach of compliance with laws and regulations is something you are best positioned to estimate.
- When does that data get transmitted via Internet, phone, wireless or satellite links?
- Most of the breaches we read about in the news occur as a result of lost laptops, USBs and smartphones because we know when they're gone. But what if there was no way of knowing? Given that we have no control over the Internet, we have to consider that Internet providers and other parties - such as the NSA - can create a "man-in-the-middle" attack and directly or indirectly sniff your communications. All you need to figure out is the frequency with which sensitive data leaves the cozy perimeter of your office.
- How much of that data is NOT encrypted with anything less than industry standard methods? Globally, only 35 per cent of businesses encrypt their data before transmitting it and that leaves a lot of room for unauthorized disclosure. Unfortunately in Canada the picture is worse, with at least 50 per cent of businesses transmitting data unprotected across untrusted media (such as the Internet, telephone or satellite links).
By assigning a fractional value to these answers and using a simple quantitative risk calculation you can derive the specific risk to your organization and even estimate the potential financial impact of such a confidentiality breach.
But that's a topic for another time. For now, let's talk prevention.
How can you protect your company from liability and undesirable inspection of sensitive traffic? Again, three steps:
- Review all the terms of service with your data carriers and ensure they are not intentionally indicating that surveillance is going on as a matter of practice. Ideally, your agreements with each telecommunications provider should not legally protect them from any legal action initiated by you, should it become evident that they facilitated the disclosure of your data while in their custody.
- Review all your policies to ensure that employees, individuals and clients are not under the impression that you have control of any of their data while in transit. Ensure that your responsibilities as a custodian are limited to - and that's plenty difficult, trust me - ensuring that standards-based confidentiality, integrity and availability controls are in place to protect sensitive information.
- Scrub your transmissions of sensitive data and encrypt the rest. Implement confidentiality, integrity and availability controls to protect sensitive information while in transit. Now that you know what data is most at risk you can fine-tune your technology to protect it (or them, since data is the plural of datum although most commonly used in the singular).
Encryption will be the name of the game in the foreseeable future.
Even with the creation of the NSA's Utah Data Centre and its unprecedented storage and number crunching prowess, defeating strong encryption will remain an expensive - both in time and in money - proposition. As a protection measure, it is the ideal way to ensure confidentiality and prevent unauthorized modification.
Given its ability to ensure information protection, it is surprising that at least half of Canadian businesses do not use data encryption (according to a recent study carried out by research firm Phoenix on 1066 Canadian businesses).
Despite the serious implications of broad-based internet spying, the resulting benefit of public awareness is immeasurable. By taking these simple steps to protect sensitive commercial data, Canadian businesses can bring these benefits in-house and reduce the serious risks associated with unauthorized information disclosure. Whether or not anyone's watching, good data practices make good business sense.