Social networking has enhanced collaboration for many companies but it creates a risk of employees sharing intellectual property or other strategically important company information with outsiders. This certainly places an increased burden on strategically aligned CSO’s who must balance the need for security with business goals and objectives.
The Global State of Information Security survey produced by Price-Waterhouse-Coopers in conjunction with CIO magazine, demonstrated a growing concern over the risks associated with social networking. While monitoring technologies can help within the company borders, access to social networking sites such as Facebook, Twitter, and Myspace fall clearly outside the watchful eye of security technology.
This then becomes a cultural issue tackled primarily with users education and security awareness programs that emphasize that information provided on social networks is in the public domain.
Bill Brenner, Senior Editor with CSO Magazine published the “Seven Deadly Sins of Social Networking Security” back in June of 2009. Brenner lists these social networking sins as follows:
1. Over-sharing company activities
2. Mixing personal with professional
3. Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage
4. Believing he/she who dies with the most connections wins
5. Password sloth
6. Trigger finger (clicking everything, especially on Facebook)
7. Endangering yourself and others.
While social media is a fantastic method to share information and collaborate, it’s important to consider the content of what you’re posting to avoid risking your company and more importantly, yourself. Remember the final 5 tweets of Harold Wigginbottom , Tech-Savvy CEO:
CSO Magazine, May 27, 2009
Help your employees. Help yourself.
Richard Power wrote an article for CSO Online entitled “Red Pill? Blue Pill? Ruminations on the Intersection of Inner Space and Cyber Space”. It ties into the psychology of information security and how the shifting attitudes regarding privacy and security require a different approach to information security. Power writes:
There is a generational shift in regard to security and privacy. The young workers of today have grown up in a world of failed security and vanishing privacy. If you try to reach these 21st Century psyches with a 20th Century security message — you will not reach them, and you will not be heard.
The way information security is addressed must evolve to keep up with the changing viewpoints of the “new workforce”. If the change is not apparent, consider the way communication has changed over the last few decades.
Face-to-face meetings -> phone-calls -> e-mail -> text message -> social media
Different generations have different preferences in the way information is communicated to them. While the way to get a message across has always depended on the audience, we seem to forget that concept in the information security world. In an environment where adapting to change is essential to protecting information assets, it’s amazing that we seem rooted in the way we deliver the security message. We must be better at communicating the value of security in terms and context that is important to the “receiver”.
The bottom line is information security is a collective effort. We simply cannot afford to lose the message in transit because of a rigid approach to communication.
Be passionate. Be open. Be clear. Be agile.
Let’s look at a very simple risk equation:
Risk = Threat x Vulnerability
Now let’s apply that formula to a disgruntled employee. You have an angry employee (threat) who has access to sensitive company information based on their role in the organization (vulnerability). The combination of these two creates a situation where sensitive information, say the “secret recipe”, can potentially be disclosed to competitors (risk). This could have very serious consequences to your competitive advantage, your shareholders, your market share, etc.
The typical security response is to deploy preventive, detective, and corrective controls that hopefully reduce the risk by mitigating the threat and/or vulnerability. Most often, the controls lean heavily towards detection which is an after-the-fact, reactive response to the problem. I believe the root cause of this issue lies with the management of an organization rather than the employee. Here’s why.
I’ve yet to see a person start a new job saying “this place sucks” or “I hate it here”. Instead, these new employees are often the most enthusiastic and engaged members of your workforce. Something has to occur that shifts this positive behavior to disengaged and/or destructive action. Something changes the attitude of the employee. I contend that it is the systems developed by management that are responsible for the growth and development of disgruntled behavior in the workplace.
Systems for employee review are often filled with hidden agendas and surprises designed to “put the employee in their place”. Systems are designed to punish failure by taking power away from “empowered” employees who didn’t meet performance expectations (that probably weren’t defined well anyway). Systems are designed to give responsibility but no authority to act. It is these types of unfortunately common management systems that set the stage for the development of disgruntled employees.
So, doesn’t it make sense to mitigate or eliminate the risk associated with the disgruntled employee threat by fixing systems that spawn that type of dissatisfaction? I’m by no means saying that employees rule the roost or that you won’t have an employee unhappy over a disagreement. What I am saying is by treating employees fairly, enabling them to be successful, helping them learn from mistakes rather than punish them, and creating an environment where ideas are freely discussed without fear will go a long way toward eliminating this threat to information security.
Remember the equation:
Risk = Threat x Vulnerability
Without the threat, there is no risk.
The regulatory environment overseeing the protection of sensitive information is incredibly crowded. Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability and Accountability Act (HIPAA), HITECH, Red Flags, Payment Card Industry Data Security Standard (PCI-DSS), among a host of state laws and audit guidelines seems to provide the Fort Know of IT risk management if organizations would comply. The reality is the complexity and costs of compliance may be a contributing factor in the overall risk management failings that appear above the fold in your local newspaper.
While large companies are better equipped to deal with the additional costs for infrastructure, tools, staff, auditors, and third-party vulnerability scanners, the small or medium sized businesses can quickly become stretched to the point of ineffective security. There may be some paralysis when deciphering multiple regulatory obligations that often overlap or even conflict. There are opportunity costs when small business executives spend more time dealing with compliance issues than dealing with business strategy.
The solution is not to avoid regulatory obligations. The solution is to better manage information security and deploy best practices as simply part of the organizational culture. The way to get there isn’t to go through check boxes for every compliance item that comes your way. That will drive any person insane and lead to a tangled mess of interwoven security policies, procedures, technologies, etc. What I believe is a more effective approach to compliance is the implementation of an information security management system following a framework such as ISO 27001/27002. Many of the controls within 27002 align with the requirements in many of the compliance items so building a consolidated program based on a series of best practices will help meet compliance obligations.
ISO 27001/27002 is simply a framework that defines a security code of practice and best practices across twelve areas. These include: Risk assessment, security policy, governance, asset management, human resources, physical and environmental, communications and operations, access control, acquisition, development and maintenance, incident management, business continuity, and compliance. Pay particular attention to the last one and note that compliance is just one piece of the framework of best practices. This leads back to a previous post that risk management and information security must go beyond the simple yes or no check boxes of regulatory compliance in order to be effective.
The ability to protect sensitive information is a process that requires ongoing care and feeding in order to protect against the expensive financial and reputation damages of a breach. Using a framework such as ISO 27001/27002 allows for a consistent baseline which to measure and certify against. This minimizes confusion and complexity and goes a long way toward achieving compliance across a wide-array of regulatory requirements while effectively using both technical and human resources to maximize benefit and reduce unnecessary cost.
An audit of cybersecurity for DHS’ nine most frequently visited Web sites found that although general security protocols were followed, there were still a number of vulnerabilities and gaps in security, including inconsistent management of security patching and security assessments. Lipowicz, Alice. “DHS Web sites vulnerable to hackers, IG says”, Federal Computer Week, 09Oct2009.
It is almost hard to comprehend that even after years of pounding the message of “patch your systems” that unpatched systems are still making headlines. I can picture some internal servers running legacy applications that fail if the latest O/S patches are applied being kept off of a patch management system but simple internet facing web servers? This report is especially egregious considering these systems are managed through DHS.
Beyond the issue of patch management is the use of regular vulnerability assessments as part of an overall risk management program. The two questions I like to ask are 1) Are your systems up to date? and 2) How do you know? Just like there are a number of patch management programs available there are also a number of vulnerability scanning tools. I’ve used several and many do a good job at pointing out glaring (and not so glaring) problems.
The real trick to vulnerability scanning tools is using the information to fix problems when they are found. If you aren’t going to do anything with the information then why even bother. If available, use the help desk and log a ticket. Notify the department head and schedule a meeting to discuss the timeline for remediation. If the system is incapable of supporting a patch due to application incompatibilities, look at compensating controls to at least reduce the exposure. The very worst thing that can be done is to sit on the information. Information is only valuable if it drives action. So, take action but do so as a partner, not as a dictator.
October is National Cyber Security Awarness Month. Unfortunately, only a fraction of business and community leaders know that such a labeled month exists. How can the message of information security be considered important if those in positions of influence do not support, sponsor, or encourage that message?
I just went out to the White House web site. Not even a link to the DHS site that relates to National Cyber Security Awareness month. I guess this lack of executive level support for information security, as evidenced by the still unfilled National CyberSecurity position, is contagious.
Heck, maybe the US Congress may post something in regards to this month. Nope. Nothing on either the House or the Senate page.
In your organization, is there any awareness effort whatsoever done in collaboration with this month long focus on cyber security? Why not? Is there no desire to develop appropriate security-conscious behavior within our workforce? Is there no value to focusing attention on the protection of personally identifiable information that customers have entrusted us with? Does security only matter after a breach? Is reactive measures the best we can do?
There are a number of organizations and websites that have taken an active role in spreading the word during this Cyber Security Month. Kudos to them. Their efforts are clearly needed and appreciated by those who take information security seriously. While the technical side of security is certainly illustrated we need to do a better job of driving the message into the non-technical, business-minded side of the house. We need to drive home identity protection to our school children so that information security is a habit, not a chore and something that is carried with them into their future careers and endeavors.
When we can walk down the street and see banners related to National Cyber Security Month, when television programming starts with security reminders, when there are news segments throughout the month related to different aspects of information security, when security is part of the curriculum in schools when using computers and technology, then perhaps this whole National Cyber Security Month will have found its place. I hope we someday get there.
Awareness and Education, Business and Security | Paul October 26, 2009 | 
Comments (0)