April 27th, 2012 by Lloyd Gofton
For the last three days I have been at the InfoSec and Internet World shows. Fear not this won’t be a rambling post about the joys of trade shows or living in the airless atmospheres contained within Earls Court.
This post touches on the world of Information Security and its parallels with trade show partner Internet World. Okay, I admit, on the face of it this is not the world’s most exciting topic, nor is it likely to bring much respect in the world of comms, as my past experience of being in the ‘Tech’ team of various PR agencies has proved. Back then, if you understood technology, you were part of the geeks in the corner that can fix the printer or set up an email account on your phone, but that’s about it.
Well, as we know, the tide has turned and technology in its many forms and guises is intersecting every part of our lives. This has been propelled in the most part by social media (more on that later) and mobile devices – referred to throughout the IT Security world as BYOD (Bring your own device) and anyone at InfoSec is no doubt full of stats from the many BYOD surveys available throughout the show.
At the risk of making sweeping generalisations, which i admit is a fear as there are of course examples of social acceptance and use among security vendors, but my experience over the last few days has shown that too many IT Security pros still look at social media as a risk, and not an opportunity.
On the face of it I understand why. Social media opens many points of risk to the very organisations that security companies are trying to secure. The traditional way of securing this risk is to block and control. I.e. block access to the sites in question and/or control those sites that are deemed worthy of access in the work place.
However, this doesn’t account for human nature and that dramatically over used acronym BYOD. In short, you can tell people that they can’t do something, but if it’s easier to choose the forbidden route, you can guarantee what the outcome will be.
Having spoken to a wide range of people at both shows over the three days, my general perception was those at Internet World weren’t very concerned by security issues, and those at InfoSec were not only concerned about the risks posed by social media and other digital channels, but in some cases were suggesting blocking and ways to circumvent social communications across the board.
Let me be clear that I completely appreciate the ever-growing problem posed by cyber-criminals and the multitude of very real and escalating risks. We not only lose money to these risks on a daily basis, but also risk our IP and physical security , which is perhaps the often overlooked issue that faces our governments and industry on a daily basis. Having seen just a small portion of the realities of these threats I completely understand the reaction of IT Security to social media. However, that doesn’t make it right or workable.
Let’s start out with that age-old argument of banning social media in the work place. In my opinion this is not a relevant response to the equally ridiculous notion that people will spend all day on Facebook instead of working, and it’s not a viable response to prevent people from sharing data on social networks. If it’s possible, it will happen.
Therefore, if you do ban social media, you will force people onto their own devices which will remove even more of that control that many are craving in the first place. So what’s the response? Well it starts with a culture change, which drives a technology change.
First, the culture. Social media cannot be forgotten, ignored or banned, so deal with it as part of the overall strategy, not something to be treated separately. Secondly, relying on people to use specific software or machines to access corporate information is also unrealistic, so security needs to be built into all devices, utilising security by design. Thirdly, if we can’t ban or remove social, we need to educate people about its correct use.
Obviously sharing corporate information on Facebook is not a good idea, just like writing your password on a post-it and sticking it to your monitor is not a good idea. Facebook is not the issue, the lack of understanding about the risks is the issue.
I have no doubt that social media needs to be banned in highly secure locations, but that doesn’t mean it can be banned across the board. People always find a way.
Without wishing to get preachy, the revolution in communications devices and channels is only going to continue gaining momentum, it’s certainly not going to go away and it’s unlikely to slow down. Therefore, ignoring or banning is not the answer for the majority that do not work in highly secure environments.
In my opinion, staging the InfoSec and Internet World shows on the same three days, and within five minutes walk of each other, was a missed opportunity to share information between these two sectors, as each could learn a lot from the other.