Thoughts on an EU based internet

Posted by Tom Colvin (CTO), 11 Mar 2014
The German Chancellor, Angela Merkel has publicly lent her support to the idea of creating a cluster of centralised EU networks in order to keep data safe from US spies.

News published regarding the alleged phone hacking scandal between the Chancellor and the US National Security Agency reports that she may have had her Blackberry tapped by NSA spies for up to ten years. Chancellor Merkel, who has been Chancellor since 2005, has seemingly developed a personal interest in removing the NSA from Europe, leading her to push negotiations for a so-called ‘privacy regulation’, that is, a uniform standard of data protection in Europe.

Due to vague wording within the US Patriot Act, specifically section 215, which grants the NSA permission to collect all ‘relevant’ (a largely undefined term by Congress) call data and telephone numbers to ensure national security, EU civil and government data has become increasingly susceptible to interception by NSA agents.

The access of foreign data by the US is partly due to the Foreign Intelligence Surveillance Act, (FISA) – which provides agencies like the NSA with a wide range of cross-border powers for counter-terrorism efforts.

During the Chancellor’s podcast on the 15th February 2014, she states: "We'll talk, above all, about which European suppliers we have that provide security for the citizens that they need not cross the Atlantic with their emails and other things, but we can also build communications networks within Europe."

This is an action that we at Conseal Security wholeheartedly agree with – we would even press the Chancellor to consider investigating a list of EU suppliers who can assist the German and other member state governments on this matter.

We would recommend the establishment of a list of trusted vendors and suppliers specialising in controlled encryption in order to safeguard EU data from getting into the wrong hands.
The sheer power of the US Patriot Act and all of its vestiges poses a problem for foreign Governments. In such a data centric society, it is becoming increasingly difficult to secure international data from prying eyes.

Tensions have grown between the EU and US since the inception of the Patriot Act by George W. Bush in 2001. Some twelve years later, the extent to which European communications are monitored by the US has come under greater scrutiny, in light of documents exposed by NSA whistleblower, Edward Snowden.

In January, the European Parliament’s Civil Liberties Committee issued a report which questioned whether US surveillance activities were actually good for international security, purporting they were instead tools for “political and economic espionage.”
At Conseal Security, our job is to provide a channel for our clients to secure the data they own and wish to send to others. We agree with Angela Merkel’s concerns on this matter and her concept of a centralised internet is very persuasive but like Merkel, we recognise it is fraught with issues.

Perhaps the most interesting point, which remains to be seen, is how American-based companies operating to a large extent across the globe respond to these measures. The European Parliament’s Civil Liberties Committee has called for greater scrutiny of the data privacy practices of American internet companies, such as Apple, Facebook, Google, and Microsoft.

Ensuring the safety of civil and governmental communications, the emails, text messages, voice calls and general internet habits of EU citizens, is vital to ensure civil liberty and respect the privacy each individual is entitled to.

By utilising a network of trusted EU based partners specialising in controlled encryption, which have no ties or data storage in the US the Chancellor can begin to drive against a dark Orwellian future that acts such as FISA demonstrate. 

The real cost of a data breach

Posted by Tom Colvin (CTO), 5 Mar 2014
Following recent news that three major South Korean credit issuers have been suspended by the country’s financial watchdog due to a massive data breach, this blog will look into the real cost to business of a data breach.

For the 6th year running the average UK data breach cost has risen – this time by 16.5% from £1.75m to £2.04m in 2013. As a result the danger of a breach is back on the agenda for most data centric organisations. According to the latest research by Symantec Corp. & Ponemon Institute in the 2013 Cost of Data Breach Study, the average UK firm could be liable for costs of over £2 million should it fall foul to employee negligence or malicious attacks.

The prospect of private customer data getting into the wrong hands is becoming an increasingly concerning reality for many organisations across the UK and abroad. The costs involved in protecting data from a breach are not insignificant, but should a breach occur, the bill can be much larger.

Recent discussions have seen EU Justice Commissioner, Viviane Reding, push for much tougher fines for institutions breaching EU data privacy laws. She is quoted as saying that under her new plans for privacy failings, Google would owe $1bn for breaking Spanish data protection laws.

So with Governmental and regulatory pressure along with hiking costs, the heat is on organisations to protect vulnerable databases and educate employees in safeguarding vital data from catastrophe.

According to the report, the most costly data breaches are those malicious and criminal, as with the recent South Korean breaches - where it is believed a temporary employee of the KCB stole data via a USB stick and sold the information to phone marketers.

Across all nine countries covered by the research, malicious and criminal attacks are a key factor in 34% of all cases surveyed. The number of breached records per incident averaged at 23,647, with German and U.S companies having the most costly breaches at $199 and $188 per record, respectively. Organisations most susceptible to data breaches include those in the financial, pharmaceuticals and communications industries, partly due to the sheer amount of data these industries hold.

However, it is concerning that employee negligence continues to be the most common cause of data loss. This involves anything from employees losing devices containing confidential information to failing to adhere to best practice and securing data as it is received by the business. With employees increasingly exploiting the trend of BYOD and with data being transferred unsecured across the internet, lost on USB or other portable devices or misplaced within personal devices – it is vital that any incident response plan accounts for these types of external mishaps in addition to the protection of internal data.

The on-going costs related to business reputation are also considerable.  The study reveals that fewer customers are remaining loyal to businesses that have been the subject of a breach which resulted in a loss of information. Increasingly, companies dealing with a previously ‘breached’ organisation are taking their business elsewhere.

It is therefore critical that businesses take the appropriate measures to reduce the impact of potential breaches - including training employees and having an incident response plan in place should anything untoward occur. Implementing these measures well in advance will reduce the cost to the business in the long run.