That said, Wilcox-O'Hearn believes that companies should also be concerned about other actors spying on them. Those could include law enforcement, military and intelligence organizations from other countries, as well as organized crime gangs or corrupt employees of telecommunication companies and ISPs, he said.
Banks and other financial organizations, as well as companies from the telecommunications industry, that handle very sensitive data usually prefer to keep it on their servers, under their control, primarily because they need to meet regulatory compliance and can't perform security audits in the cloud, said Sergiu Zaharia, the chief operations officer at Romania-based security consultancy firm iSEC.
Such organizations use encryption to secure the traffic between their different branch offices or between customers and their publicly accessible services, but very few of them encrypt data as it travels through their internal networks, between their own servers, at least in Romania, he said.
Other companies, like small online retailers, that choose to use cloud servers to run applications and store customer data don't care too much about encryption or if they do encrypt the data, they don't care if the service provider has access to their encryption keys because they usually don't perform an advanced enough risk analysis, he said.
"All our customers have highlighted their concern with security issues, especially when it comes to services hosted in a third party location," said Dragos Manac, CEO of Appnor MSP, a provider of managed dedicated servers and cloud computing with infrastructure in both Europe and the U.S., via email. "The current Prism scandal is a major blow for governments, but it also hurts service providers."
As far as government surveillance is concerned, service providers are caught between a rock and a hard place, he said. "Not helping the authorities means you are violating the law. Helping them means you may be violating someone's rights."
There is no reason to believe that the NSA, or anyone else, can crack strong encryption algorithms that have been studied and vetted by scientists, Wilcox-O'Hearn said. "On the other hand, it is easy for a programmer or service provider to implement them incorrectly or for a user to use them incorrectly, in which case it would be possible for anyone who had access to the network traffic to read the data," he said.