Social Networking – “Loose Tweets Sink Fleets”

October 26, 2009 by · Leave a Comment

Social networking has enhanced collaboration for many companies but it creates a risk of employees sharing intellectual property or other strategically important company information with outsiders.  This certainly places an increased burden on strategically aligned CSO’s who must balance the need for security with business goals and objectives.

The Global State of Information Security survey produced by Price-Waterhouse-Coopers in conjunction with CIO magazine, demonstrated a growing concern over the risks associated with social networking.  While monitoring technologies can help within the company borders, access to social networking sites such as Facebook, Twitter, and Myspace fall clearly outside the watchful eye of security technology.

This then becomes a cultural issue tackled primarily with users education and security awareness programs that emphasize that information provided on social networks is in the public domain.

Bill Brenner, Senior Editor with CSO Magazine published the “Seven Deadly Sins of Social Networking Security” back in June of 2009.  Brenner lists these social networking sins as follows:

1.  Over-sharing company activities

2.  Mixing personal with professional

3.  Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage

4.  Believing he/she who dies with the most connections wins

5.  Password sloth

6.  Trigger finger (clicking everything, especially on Facebook)

7.  Endangering yourself and others.

While social media is a fantastic method to share information and collaborate, it’s important to consider the content of what you’re posting to avoid risking your company and more importantly, yourself.   Remember the final 5 tweets of Harold Wigginbottom , Tech-Savvy CEO:

CSO Magazine, May 27, 2009

CSO Magazine, May 27, 2009

Help your employees.  Help yourself.

Filed Under: Awareness and Education, Business and Security · Tagged With: , , , ,

Evolving the Security Message

October 23, 2009 by · 2 Comments

Richard Power wrote an article for CSO Online entitled  “Red Pill?  Blue Pill?  Ruminations on the Intersection of Inner Space and Cyber Space”.  It ties into the psychology of information security and how the shifting attitudes regarding privacy and security require a different approach to information security.   Power writes:

There is a generational shift in regard to security and privacy. The young workers of today have grown up in a world of failed security and vanishing privacy. If you try to reach these 21st Century psyches with a 20th Century security message — you will not reach them, and you will not be heard.

The way information security is addressed must evolve to keep up with the changing viewpoints of the “new workforce”.  If the change is not apparent, consider the way communication has changed over the last few decades.

Face-to-face meetings -> phone-calls -> e-mail -> text message -> social media

Different generations have different preferences in the way information is communicated to them.  While the way to get a message across has always depended on the audience, we seem to forget that concept in the information security world.  In an environment where adapting to change is essential to protecting information assets, it’s amazing that we seem rooted in the way we deliver the security message.  We must be better at communicating the value of security in terms and context that is important to the “receiver”.

The bottom line is information security is a collective effort.  We simply cannot afford to lose the message in transit because of a rigid approach to communication.

Be passionate.  Be open.  Be clear.  Be agile.

Filed Under: Business and Security · Tagged With: , , , ,

Cyber Security Awareness Month

October 8, 2009 by · Leave a Comment

October is National Cyber Security Awarness Month.  Unfortunately, only a fraction of business and community leaders know that such a labeled month exists.  How can the message of information security be considered important if those in positions of influence do not support, sponsor, or encourage that message?

I just went out to the White House web site.  Not even a link to the DHS site that relates to National Cyber Security Awareness month.  I guess this lack of executive level support for information security, as evidenced by the still unfilled National CyberSecurity position, is contagious.

Heck, maybe the US Congress may post something in regards to this month.  Nope.  Nothing on either the House or the Senate page.

In your organization, is there any awareness effort whatsoever done in collaboration with this month long focus on cyber security?  Why not?  Is there no desire to develop appropriate security-conscious behavior within our workforce?  Is there no value to focusing attention on the protection of personally identifiable information that customers have entrusted us with?  Does security only matter after a breach?  Is reactive measures the best we can do?

There are a number of organizations and websites that have taken an active role in spreading the word during this Cyber Security Month.  Kudos to them.  Their efforts are clearly needed and appreciated by those who take information security seriously.  While the technical side of security is certainly illustrated we need to do a better job of driving the message into the non-technical, business-minded side of the house.  We need to drive home identity protection to our school children so that information security is a habit, not a chore and something that is carried with them into their future careers and endeavors.

When we can walk down the street and see banners related to National Cyber Security Month, when television programming starts with security reminders, when there are news segments throughout the month related to different aspects of information security, when security is part of the curriculum in schools when using computers and technology, then perhaps this whole National Cyber Security Month will have found its place.  I hope we someday get there.

Filed Under: Business and Security, National InfoSec · Tagged With: ,
Newer Posts »