Edward Snowden, The NSA, Security In The Cloud And What It Means To Your Business
Posted on Mar 06, 2014
The recent coverage of the activities of ex CIA analyst Edward Snowden has put a spotlight on the security and risk of both business and personal data. Is he a hero or has he done damage to the national security of the Western world? Opinion differs. Some industry analysts would have you believe that the revelations about US government snooping will cost the cloud industry billions. Our CEO Hugh Scantlebury disagrees:
"According to the Information Technology & Innovation Foundation (ITIF) and analysts at Forrester, US cloud companies could lose $35bn-$45bn following the revelations that the US National Security Agency (NSA) has been accessing data on sites maintained by the likes of Microsoft, Google and Facebook.
For European providers,the revelations provided an opportunity to differentiate their offerings from US services that could potentially be compromised by the US Patriot Act, or more covert surveillance by the US authorities.
The Cloud Security Alliance, for example, found that 10% of foreign cloud industry participants had pulled out of deals with US cloud services; another 56% said they were less likely to use a US supplier.
These are worrying revelations, but stir up fears and doubts that should not affect the use of cloud accounting in the UK and Europe. Let's be realistic...
First, it is hard to believe the scale of some of the claims - unless they are engaged in extremely sensitive and potentially illegal activities, the day-to-day transactions and financial records of most businesses are not relevant to national security analysts.
"If you have done nothing wrong, you should have nothing to fear."
Governments don’t need multimillion dollar equipment to track commerce: the information is already there in statutory filings and tax returns.
What could the NSA possibly gain from checking through your accounting systems? Every business transaction involves communications between parties, and someone who did want to investigate could talk to your customers and suppliers to find out what’s going on. And when they need to, trust me they do.
But in the wake of the PRISM affair, it is worth stepping back and asking whether your business data is really at that much risk?
In my view, cloud-based solutions continue to be lower risk than on-premise systems. Surveys suggest that 85% of all data breaches are committed by disgruntled IT people. If you don’t have such people in-house, the risks of these kinds of breaches happening to you will be reduced considerably.
And I still visit companies and accountancy practices where they have their accounts running on a PC in a back room. If that was removed, the data would be gone. But you can’t physically run off with or steal a whole data centre. And if you’re concerned about data protection, when’s the last time you saw or did something about a sticky label attached to a desk or monitor displaying the user’s password?
Data protection is covered by a number of different laws in the UK, Europe and North America, which do cover what you are holding and how you treat it. In Germany, for example, they are not comfortable with any personnel data being held outside the country’s borders. As a result, there is less activity on some social media applications. The Scandinavians have a strong privacy culture, but they are less constrained by legal restrictions on where data is held, and are much more active cloud users.
In the UK, the Data Protection Act 1988 enacted the principles that organisations holding personal data on customers should ensure the information was reliable and relevant to the purpose for which it was collected. The DPA also stipulated that data should not be transferred outside the European Union, unless the country to which it was sent maintained similar data protection levels. Under an agreement between the EU and USA, US companies will be recognised as “safe harbours” for European data if they adopt the same principles that govern data protection within the community.
Everybody in the business world has a responsibility to look after their business and personal data. If you take that responsibility seriously and do a realistic assessment of the risks you face from hackers, intrusive government agencies and disgruntled IT staff, you would conclude, like me, that being in the cloud reduces the risk for companies and individuals alike.”
Here you can see our most recent resources, select items of interest using the categories below.