In simple terms, the answer to how the Snowden revelations about the National Security Agency (NSA) and GCHQ should be influencing future information security strategies in the UK would be, not at all.
Information security strategy should be implemented after a properly scoped risk assessment. The appropriate level of response and risk mitigation can then be put in place.
Businesses which consider NSA and GCHQ to be a threat will also be aware that many software corporations such as Cisco have already stated that these security organisations can penetrate their commercial software so any attempt to keep them out would be an exercise in futility anyway.
The NSA and GCHQ have a mandate to carry out their activities, and any business that has commerce with the government will have had to submit their coding to GCHQ for approval anyway, so it is folly to think it will not know how to access it in future if required.
Read more responses to Edward Snowden's state surveillance revelations
- Security Think Tank: Snowden proves technology is only part of security
- Security Think Tank: Information security strategy should support the business
- Security Think Tank: Never mind Snowden, think best practice
- Security Think Tank: Snowden likely to prompt security reviews
- Security Think Tank: Snowden leaks highlight a common business vulnerabilty
According to The Ponemon Institute, 78% of organisations have experienced a breach due to negligent or malicious employees. This sounds to me a far better place to start when considering the threat sources on which to base an information security strategy. It becomes even more important when you realise the same research also concludes that only 19% of employees came forward and reported a breach.
As for the question of open source acting as reassurance to software suppliers, I am not convinced. All software carries a risk. Any software needs to be procured appropriately, installed and maintained securely. Yes, the back doors are closed early on open source, but on the other hand it is also wide open to developers so its vulnerabilities are well known.
Moving on to encryption, there is evidence to suggest that encryption is already seeing growth in take up, rising from 25% to 29% of businesses with an encryption policy across enterprise, according to Thales Ponemon Survey 2012).
This is unlikely to be due to the NSA or GCHQ revelations, but more likely that businesses are using it part of an overarching information security strategy as suggested by their information security expert.
The danger here is that employees who have not been given security awareness training will be given encrypted devices and they will assume that they are entirely secure 100% of the time, which of course is not the case, because they have been told their device is encrypted.
All software carries a risk. Any software needs to be procured appropriately, installed and maintained securely
Encryption is not the solution to security, it is part of the solution and always has been. So an employee who does not realise that their device in encrypted basically when it is switched off, may still have very poor security habits, such as leaving a laptop logged on with the lid down, thinking the data is secure because it is magically encrypted.
So encryption is a good idea, and take-up will continue to grow, but educate your people for they are your biggest threat.
If you genuinely feel your business is under threat by outside government agencies, then you need high-end security, not general, commercially available software.
In these budget-tightened times, why spend large sums of money on high-end technology when in real threat terms you will get a much better result by spending a fraction of that on some decent training for staff.
Mike Gillespie is director of cyber research and security at the Security Institute.
This was first published in January 2014