Skip to main content

Government data leaks, enterprise fallout: IT security and the NSA Prism scandal

The National Security Agency (NSA) might be an American institution, but the fallout over its recent data leak also has international implications. In the UK, businesses initially reacted to the content of the leaked data, as the US PRISM programme raises questions for companies around the world that store their data with American cloud providers. Perhaps of even greater concern, however, is the fact that one of the world's premier security agencies failed to effectively secure its own data. With NSA repercussions still evolving, and with the recent revelation that the Serious Fraud Office (SFO) in the UK has had its own data loss disaster, enterprise IT leaders have to ask themselves: If governments can't secure their critical data, how can businesses?

A question of privacy in the cloud

When Edward Snowden, a contract worker, walked off with untold numbers of NSA documents stashed on an unsanctioned flash drive, he tipped off the world about PRISM. The disclosure of the American data collection programme clearly got the attention of UK businesses and individuals, particularly once it was revealed that the NSA was sharing its data with the UK Government Communications Headquarters (GCHQ), essentially opening the door to sanctioned spying on British citizens.

The Guardian recently reported that US cloud businesses could lose between 10 per cent and 20 per cent of the international market now that companies are spooked about the potential for US government surveillance. A survey conducted by the Cloud Security Alliance, an American group, found that 56 per cent of those surveyed outside of the US consider themselves "less likely" to use American cloud computing services because of the PRISM programme. That could be a boon to UK businesses as they pick up former Google and Amazon Web Services clients. However, the problem for British IT teams goes beyond whether they should entrust their data to Google, Amazon or a host of other companies, including Verizon, Apple and Microsoft.

Public sector lessons for private enterprises

The NSA is not alone on the world stage for its inability to secure its own data. More recently, the UK's SFO accidentally sent more than 32,000 pieces of data related to the BAE Systems corruption case to the wrong party. The SFO's data loss, which took place in 2012 and was discovered this spring, was a debacle that Labour's Shadow Attorney General Emily Thornberry reportedly called "government incompetence of the first magnitude."

All of these threats to data security might seem unrelated: there is the PRISM programme, which monitors data with the help of American tech companies; there are the Edward Snowdens of the world, who steal sensitive information, hand it over to the media, and cause enormous trouble for their employers; and there are the employees who, due to human fallibility or ineptitude, accidentally send information to the wrong recipients. These might be three different kinds of security threats, but they point to one solution for government agencies, as well as for enterprise IT teams.

Protecting data at the file level

Government agencies should heed the best practices of private enterprises, which are increasingly wrapping data protection around individual files, rather than futilely trying to lock down thumb drives, mobile devices, email accounts and other free-flowing channels. File-level security is the only way to protect data as it travels between employees, partners, customers and others. When the security is attached to the file itself, IT retains the ability to limit sharing and printing or revoke access if necessary, even when the document at risk has been shared outside the organisation or distributed via the cloud.

The NSA and SFO data leaks have the attention of the press, but the day-to-day data loss threats facing enterprises can be just as damaging to businesses. Documents can disappear via commercial-grade cloud services. Files can fall into the wrong hands when an employee's smartphone is stolen. A staffer can unknowingly attach sensitive information to an email and hit send. The risks to proprietary data are many, but the solution is singular; to protect data regardless of where it travels, IT needs to approach security from a file-by-file basis.

Moti Rafalin is the co-founder and CEO of WatchDox, a provider of secure access, file sync and collaboration solutions that enable the confidential sharing of important or sensitive documents.