Chris Evans of Foreshore considers how, regardless of the sustained attacks on ‘privacy’, a structured approach to information security is still the best way to keep corporate information private.
"Privacy is dead; get over it". Whilst there's some dispute over whether Scott McNealy, the founder of Sun Microsystems and a pioneer in computer networks, ever actually made this throwaway comment, it does rather succinctly sum up what many people feel in the age of Facebook and the ubiquitous surveillance camera.
The demise of privacy has been proclaimed on many occasions in the past, and it's fair to say that it seems to be under a sustained attack from different quarters at present. The recent Wikileaks disclosures and the frequent stories in the media of banking or government records going astray certainly reinforce the view that the age of privacy is dead or dying.
Certainly, both the ‘means’ and the ‘ends’ are being challenged. Rapid developments in technology are most often blamed for undermining the 'means' as information today is recorded in a fashion that is easy and cheap to store, duplicate and disseminate. And despite the exponential growth in the volume of business information, these processes are getting even easier and cheaper to the point that copying and communicating data has become commonplace and is an unconscious activity for many people.
The drive to increase global transparency is ramping up the pressure on the ‘ends’ or objectives of privacy. Consider how in banking and financial services the term ‘privacy’ has become a dirty word with the inference that it’s synonymous with concealment. Many companies involved in wealth management and professional services now prefer to use the term ‘confidentiality’ to describe their duty of care relating to personal or corporate client data, to avoid the stigma associated with ‘privacy’.
I am of the view that whilst privacy is going through challenging times it’s alive and well and, in business and in our personal lives, there is still a real need for it. Despite the growing threats to privacy, a structured approach to information security is still the best way to ensure that corporate information that is meant to be private is kept that way.
In the media we really only hear about security when it fails. Politicians and the media unwittingly distort the issue because they both have an agenda of provoking an emotional response. However, those in business have to evaluate the statistical risks and deal with them rationally. Failure to do so can lead to assumptions on risk that result in totally unnecessary precautions at one end of the spectrum to potentially reckless behaviour at the other.
However, to blame developments in technology for the perceived continuous erosion of privacy really misses the point and is equivalent to shooting the messenger. This is because a lot of people wrongly concentrate on the tools and methods employed in protecting (or attacking) security rather than those who are employing them. Simply put, people not technology, represent the bigger security threat and that is where the attention for mitigating risk should be focused.
A principal of a business once said to me that he was relaxed about the intrinsic security of sending client confidential matters by email because he knew that all the text in an email was converted to electrical pulses when it was sent and was therefore (in his opinion) indecipherable to all but the intended recipient. He couldn’t have been more mistaken. In fact an email sent over the internet is akin to sending a post card that is photocopied by every single entity that handles it on its journey. Ignorance of the risks is a significant factor of poor security.
Not surprisingly many security breaches are down to humans and most generally - insiders. A survey undertaken in 2008 by PricewaterhouseCoopers on behalf of the UK government department of Business, Enterprise and Regulatory Reform (BERR) stated that “32 per cent of information security attacks originated from internal employees while 28 per cent came from ex-employees and partners…. similarly, law enforcement experts in Europe and the US estimate that over 50 per cent of breaches result from employees misusing access privileges, whether maliciously or unwittingly.”
Sometimes the human failings are intentional, such as whistle blowers and those who are operating to another paymaster's agenda such as in the well-publicised case of alleged tax evasion by a major Swiss bank. More often these failings are due to negligence, lack of understanding of the issues or the poor implementation (or absence) of a security policy. Effective policy remains the single most potent tool for the protection of privacy and this is unlikely to change in the near future.
New developments in technology will continue to shift the balance of power regarding the safekeeping of data. For example easy data proliferation clearly increases the risk of inadvertent disclosure. It is not difficult to imagine an email with a highly confidential document attached being accidently sent to the wrong recipient, something that really couldn’t have happened very easily when all correspondence was executed on paper. The technology makes it possible but someone has to make it happen.
Easy proliferation can in fact increase the security of information when combined with techniques that can virtually guarantee that vital digital information cannot be lost or destroyed, such as encryption or techniques designed to render the data anonymous. Both of these are much more easily achieved on electronic data than with physical paper records and can render the data meaningless in the event of unauthorised or inadvertent disclosure. Interestingly this technique appears to have been used by Wikileaks, as a form of insurance, where an encrypted file has been distributed around the internet and exists in thousands of instances. Once the key to decrypt the file is in the public domain, any attempts to block the publishing of the contents will be futile.
The truly surprising, if not shocking, aspect of the Wikileaks revelations (if the press reports are accurate) regarding the US diplomatic cables wasn't the content, much of which could have been reasonably assumed, but the sheer numbers of people to whom so much classified information seems to have been made available. Security and availability are at opposite ends of the scale. The more you want of one, the less you get of the other. It is the classic trade off as Bruce Schneier, a highly respected security expert, describes it: “Security is a trade-off … we get security by giving something up: money, time, convenience, capabilities, liberties, etc. Sometimes we make these trade-offs consciously, and sometimes we make them unconsciously.”
As the disclosure of confidential information becomes a more common and potentially more profitable practice, businesses must enforce policy internally and scrutinise third party suppliers to ensure that the privacy of data is upheld. Data should be valued like money – in fact it should be more highly valued because permanently lost data cannot be as easily written off or earned again. Furthermore data, whilst valuable in the right hands, can be positively toxic in the wrong ones.
The need for responsible data handling is commonly addressed by the use of ‘best practice’ guidelines that are designed to ensure compliance with specific laws and regulations relating to data management. One downside of this approach is that it is mechanistic and is often treated by those who are responsible for policy enforcement as a ‘box ticking’ exercise. A better approach is to get the best practices embedded within the culture of daily working procedures. As trite as it sounds, information security is often described as a journey not a destination. An even more innovative approach is to use effective information security as an actual business driver or even a competitive differentiator, which turns security from a compliance obligation into a core competency.
The future involves businesses having to handle ever-increasing volumes of sensitive data, stored in a greater variety of physical locations. The increasing trend of buying computing resources as a utility from a remote service provider, often referred to as ‘Cloud’ these days, is a boon to business as it brings many advantages, such as lower resource and infrastructure costs. However, many still feel that the security of private data can be less well guaranteed in the hands of a third party because that is the natural emotional response.
Ironically it is likely to be safer in the hands of a competent third party because, in order to generate the required level of trust, third party suppliers invite rigorous examination of their business, systems and procedures and inevitably provide a more formal relationship than anything that is likely to exist within an organisation where core business priorities often (wrongly) take precedence over the protection of data.
Businesses with effective security policies have well defined data protection objectives, they have moved away from IT systems protection because the boundaries have become less distinct and they concentrate on protecting sensitive data irrespective of its location or the type of system used to process or store it.
Reputations take decades to build and seconds to destroy. Savvy CEOs recognise that the security of data and the guarantee of client confidentiality have direct implications on the bottom line and therefore belong high on the business agenda, not just in the IT department.
Chris Evans
Chris Evans is the CEO of Foreshore, a Channel Islands based Internet services company that provides secure hosting, email and data storage solutions to financial services companies worldwide.