Your global business partners may not have the same network security concerns you have - if they have any at all. On a recent 10-day sojourn in Eastern Europe, I learned a great deal about that region's take on security. It is definitely not the same as ours.
You may remember the security industry of the late 1980s: Security? Who needs it? There are no problems. We are having enough trouble getting money to buy computers and hoping they work.
That's close to the Russian and East European views. Then add the Wild West component - not the Internet version, but the Wild West that is emerging economies whose first and foremost goal is merely to survive. Security does not contribute to the bottom line and is therefore secondary, tertiary and otherwise way down the list. Does this sound like us 20 years ago?
Wireless Internet access is something we complain about every time we can't acquire a signal instantly or get it for free. As a culture we have come to believe that unlimited bandwidth is an entitlement, and Western businesses accommodate us by offering free wireless for overpriced coffee or cholesterol-laden burgers.
In Moscow, I walked into the airport Hilton hotel that was undergoing a minor remodeling of the lobby. They told me, "Sorry, nyet Internet, we are doing a major remodel." I had to hop a cab to the nearest motel-anything with Internet access.
You can buy Internet access, sometimes for $38 a day, once you hand over your passport. At the club next to my hotel, they charged too much for beer, but I got free wireless. I poked around My Network Neighborhood: no security, no MAC filtering, no crypto - but tons of connections to the networks in the office building above the club. The wireless router was hanging on a subnetwork of a car dealership, which was piggybacked on the backbone of the office complex, the bank and a casino. No passwords. I am not familiar with the local Russian laws on computer trespassing, but I had learned enough. The concept of glasnost clearly has been extended to cyberspace.
At the security conference I was attending, I asked someone if there was an identity theft problem in Russia. "Oh, yes, very serious," he said.
When I asked what they do about it, he shrugged. "What's to do? Anyone can buy anything, anyway. Why should I care?" Information - private, corporate and state - is an openly traded commodity. When he told me he worked at a bank, I asked whether he had ever sold private customer data. "Of course," he replied. "I have to pay the rent."
And so it went, person after person. Not the executives, but at the worker echelon of the banking industry, it was definitely a "me first, me second and me third" attitude. The thinking is, if someone wants it, they're going to get it anyway, so why waste time and money trying to protect it? It's tough for me to wrap my head around this as I realize how many U.S.-headquartered banks and other multinationals rely on the coordinated trust and security supposedly offered by foreign partners.
I saw countless examples of an entirely different security thought process than we are used to, one that sets the stage for major security problems. The Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act are U.S. rules. The Eastern European attitude is, sure, we're supposed to comply. We check the box.
What can we do about this? A few suggestions come to mind.
Global business partners should strictly comply with U.S. governance, especially in the handling of personal information. Take a look at how European Privacy Commission monitoring and enforcement work. Consider sanitizing partners' information by restricting access to data fields that would be targets of identity thieves.
Maintain databases as locally as possible, with at least one level of administrative oversight. Above all, be keenly aware that in other parts of the world, the data and information we consider sacrosanct is merely a stream of bits for sale to the highest bidder. Govern your networks accordingly.