Social media demands a review of your security framework
Wednesday, 28 July, 2010
The time lapse between the beginning of publicly available internet and what we now refer to as Web 2.0 was short. A relative nanosecond in terms of history. Rob Forsyth* jumps forward from the history of the internet to social media and advocates that organisations need to embrace security to enable as much access to technologies as possible under a robust security framework.
As the internet became widely available in around 1993, its use was really about large numbers of people accessing information published by a much smaller group of businesses, educational institutions and government organisations. Jump forward just a tad to 1999 and the first blog publishing platforms were being launched, obliterating the barrier to entry and enabling just about anyone to quickly and cheaply become a publisher in this new, online environment. While the tools may have been available in 1999 to blog or publish, it’s only in this decade that Web 2.0 found its home and its power now lies in the hands of individuals around the globe.
Rather than just publishing an article, it was publishing directly to your peer group that dramatically changed the landscape with the arrival of Facebook in February of 2004. Just six short years later and there are over 400 million active Facebook users worldwide. Take a step back one year to 2003 and Second Life made an interesting appearance enabling individuals to create an avatar and, in a personal, yet anonymous way, explore a virtual harem without real-life consequences. Second Life provided the vehicle to experience freedom in a way reminiscent of post-60s liberation.
Today, traditional media struggles to keep pace, relatively new technology such as email is becoming obsolete and those now entering the workforce know nothing other than communicating and collaborating online. The founders of Mashable, Google and Twitter are the red carpet fodder of this generation. We are dazzled by the power of applications that are developed as fast as we can imagine them. Our computers are quite literally windows to anywhere in the world as tools such as Google’s Streetview and live webcam treat us to virtual street images and real-time snow reports. For many, these technologies provide us with access to much more and enable us to be the ultimate voyeurs.
Watching the evolution of the internet is akin to watching a child growing up - without parents. This was made plain earlier this year, when some of the shine started to wear off for some of the larger players in our brave, new world. Facebook and its founders came under scrutiny for its lack of consideration to protecting customer privacy. Twitter also took several hits as the accounts of a number of famous users were hacked and compromised, calling into question the strength of its security.
Google, keeping up with its awe-inspiring track record of innovation, came under fire for breaching privacy regulations while taking pictures with its Street View cameras and in the process inadvertently collecting Wi-Fi data as its cars cruised the streets gathering images. It is this example that is perhaps the most potent. Our society, in general, has wholeheartedly embraced these leaps and bounds in technology. It has after all enabled us to access worlds we would otherwise never visit. We are able to watch a great tide of titillating activity unfolding online from the safety of our computer screens - or so we thought. It is this very inadvertent collection of personal data that issued a rude reminder to us all: this harem that we enjoy peeking into from the outside could very easily stare straight back at us.
Our child has now entered post-adolescence. We’ve reached the end of the beginning.
Those of us in the security arena are, by nature, sceptical about with whom and how we share information. Protecting property and privacy remains at the heart of our business, as is helping companies find the very delicate balance of enabling business productivity and employee satisfaction and ensuring that the company, its customers and shareholders are protected from those wishing to exploit them.
Yet the days where keeping organisations secure by simply building safety walls to keep the bad guys out are long gone. IT security used to be about protecting the network. Then it became about protecting the devices that left the network and then about protecting the data itself as information leaks became commonplace within the work environment. Today, security is two-fold. Organisations not only need to be aware of the security viruses and other cyber nasties that attack the business externally but they must manage and equip employees who are actively participating in social networking sites - and consequently exposing their organisations to potential privacy breaches.
That said, we’ve also been forced to think more broadly about what it is we are protecting. Data (as a security threat) has little value. It’s how data relates to people that is vital. And it’s not just credit card numbers or the like - which most, if not all, individuals understand must be kept private. Details about a person’s date of birth, home address, email address and even information about where a person is at a specific time of the day is readily made public on Facebook or Twitter without a second thought. Even if our information is anonymous, as in the case of online shopping habits, how do we feel about it being mined for information?
As information security specialists, our role working with companies who themselves are grappling with these issues has inevitably changed. While we like to talk about the technical side of things, it is really about how technology lets people down by exposing information about them. So, where to now? What will adulthood hold for our internet child as we learn to better manage the wave of new technologies that have transformed and intertwined our personal and professional lives?
We don’t have the luxury of skipping to the last chapter of this book to see our child as an adult, and as an industry it would be foolhardy of us to propose we have the insider’s secrets to the end game. But what we can do is consider what we know thus far and propose some strategies to lay the foundation for the future.
Traditional security approaches within organisations banned new technologies or, at best, permitted access under stringent regulations. But the days of a zero-tolerance approach are no longer viable with unenforceable policies as an army of tech-savvy employees enters the workforce, bypassing security walls and, as a result, exposes the organisation to even greater security risks.
Social media tools or new more transparent tools for collaboration are brought into the organisation via a range of departments. HR may argue that collaboration tools, both external and internal, engage stakeholders and facilitate greater dialogue and productivity. Marketing may claim that social media campaigns are a necessary component of communication plans as their audiences move to online environments in droves. Whatever the situation is, IT will continue to take a pragmatic approach and lend a hand in creating and managing social media projects. Furthermore, IT will be at the discussion table when organisations develop social media guidelines to equip employees with the do’s and don’ts of online engagement. Many companies have already started implementing these social media policies and this will only become more crucial in the coming months and years.
Our child may have scars from a misspent youth, but in this post-adolescent phase, we’ve awoken to the realities of technology. Inevitably, our plans and methods are a work in progress and will need refining as the industry continues to evolve. But today, organisations need to embrace security as an enabler that offers as much access to technologies as possible under the surveillance of a robust, security framework.
Watch for the next chapter in this very exciting adventure.
* Rob Forsyth is Managing Director of Sophos, Asia Pacific based in Sydney. Prior to this role he was employed by the Sydney Organising Committee for the Olympic Games (SOCOG) for 5 years.
Forsyth is an active spokesperson within the IT sector, lending his expertise to industry associations such as the Internet Industry Association (currently Deputy Chairman), and is a Director of The Internet Society. During the 90s, Forsyth was a member of the NSW Branch Executive Committee of the Australia Computer Society.
A new headache is coming to fruition for IT leaders in ensuring their security systems can keep...
Organisations are being forced to confront the evolving threat landscape and respond quickly to...
Network architectures that assume all users inside the perimeter are inherently trustworthy are...