> How could any business person in a sane state of mind choose to share its data with some 3rd party company.
Every company has to share its data somehow. You probably aren't your own ISP, or web host, or even land lord. Your company's health insurance provider knows all of your employees and even which ones are sick. Your employees likely have information on their phones and laptops about your company. Etc etc.
Google Apps (when you pay for it) comes with serious privacy agreements and certifications. Enough for government use even. Unless you have an amazingly competent team, I'd trust that Google is able to keep your data more secure than you are.
Not to mention proper support for two-factor authentication, which most smaller email systems don't have (especially in-house corporate setups.) Shared services can devote more resources to security because they're splitting the result over a greater number of users.
RSA has been selling such systems for years. My friend's container shipping company of 15 people has it. It really comes down to having a qualified IT person on board, rather than the availability of a technical solution.
I'd still bet on Google's security setup for its Apps customers over your friend's company. Also a consideration, Google would cost only $900 a year for 15 users, which is a considerable savings over dedicated staff.
I recommend Google Apps all the time. It's almost certainly better than what they're using now and is very good at not having problems.
There's no question such solutions have been available, but the reality is that most companies haven't implemented them.
Even if a company is aware of TFA, it's still probably cheaper and faster to get it via Google's products than implement a solution in-house using RSA, etc.
Every company has to share its data somehow. You probably aren't your own ISP, or web host, or even land lord. Your company's health insurance provider knows all of your employees and even which ones are sick. Your employees likely have information on their phones and laptops about your company. Etc etc.
Google Apps (when you pay for it) comes with serious privacy agreements and certifications. Enough for government use even. Unless you have an amazingly competent team, I'd trust that Google is able to keep your data more secure than you are.
http://www.google.com/apps/intl/en/government/trust.html