Giving up Privacy for Convenience
By Ryan Loy, CIO & VP, IT, ADTRAN [NASDAQ:ADTN]
Login with your FB credentials. It is a common option you’re presented with when looking to set up a new account to pretty much any online service today—it’s great and convenient!
As we become a more ‘connected society’ there is undoubtedly a blurry-line when it comes to technology and private information. It’s the Flashlight app requesting access contacts, location and calendar or the latest wealth management application wanting account numbers and passwords. We get drawn into the simplicity, sexiness of design, or how a technology can solve an immediate desire—that we begin to lose touch with the importance and value of our private information. Ultimately, we are creating a societal shift in which “information sharing” is the norm and turning data into the new oil.
"We as corporate leaders need break-away from the traditional methods we have used in the past to protect our organization"
This fundamental societal shift in the treatment of private information, I would argue, mimics how individuals will treat corporate data. The line on ‘proper treatment/acceptable use’ of corporate information is getting blurred. Users are demanding improved connectivity, more mobile solutions and access to any piece of information anywhere at any time. This desire is driving a behavioral disposition to be ‘more connected,’ but it threatens how we as IT Leaders protect key intellectual property. Think about it like this, IDC reported that on average 70 percent of applications used by employees are not-sanctioned by IT. Users are implementing their own solutions despite the controls IT may have in place. The business value may be there, but the protection of corporate information is at greater risk.
We as IT Leaders are seeing an unprecedented amount of information sharing applications, personal cloud storage, analytic tools and collaboration software that users can download and deploy. Personal Dropbox or Box accounts plague the enterprise making it nearly impossible to protect key intellectual property. I will not argue that technology has certainly improved aspects of our lives, but the digital generation has grown-up in a society where technology is here to provide more convenience with data security and privacy being secondary or worse ignored.
We as corporate leaders need break-away from the traditional methods we have used in the past to protect our organization and secure corporate assets. The traditionalist approach of IT governed, IT provisioned, and IT owned is no longer feasible. Technology will continue to be pushed further into the business with true innovation living on the fringes. IT organizations need to evolve their cybersecurity approaches and go after what’s most important—the data! Here are a few questions that can help you think differently about security.
Do you know what data is the most important to the organization, to your competition or that which could do the most harm? If so, do you know where that data resides, how it is governed and who has access to it?
If you said yes to both questions then you are one of the very select few. In most organizations, including mine, mobile platforms, personal storage devices, and an ability to send e-mails to pretty much any e-mail account makes protecting key intellectual property very difficult.
At ADTRAN, we have decided to secure information through meta-data tagging leveraging data classification. No matter the solution deployed, if we can control access, where data will reside and put structure around the use of that data, as defined by the data classification, then we are in a much better position. Data tagging is just one way to secure information at the source.
Do you measure security risk and do you know what it takes to mitigate it?
The debacle by the VA and other organization around loss of laptops containing PII data resulted in one of the largest security investments organizations have made in the last twenty years. While laptop encryption is valuable, the point being is that most organizations only invest in cybersecurity after a significant event has occurred. We need to move the thought process away from measuring security by the number of events to being more focused on audit and compliance.
More and more companies are asking for tighter controls over their data—right to audit, duty to notify, and ISO 27001 compliance are just a few clauses we are seeing in business contracts. Soon GDPR and other like regulations will be in place making compliance even more critical.
Before you go out to purchase the next greatest IDS or Firewall appliance, ask yourself this “what aspect of our business or information is at the most risk and when I’m audited can I demonstrate we have invested appropriately to mitigate against those risks?”
Are you actively educating the community on proper use of technology to ensure the highest level of security practices is followed?
Proper placement of hands on a steering wheel use to be the 10 and 2 positions as it offers the most amount of agility. Yet airbags have changed that and the position is now 9 and 3 providing a balance of agility and safety. The point here is that almost everyone still believes 10 and 2 is the correct and most optimal hand position. We as security leaders need to ensure our education, training and communication reflects and appreciates the training of the past. We need to bake in security education not only throughout the year but also in new technology we deploy. Too many organizations’ security education is left to what you received in employee onboarding. The fact of the matter is, over 70 percent of organizations feel their level of security education is inadequate and needing to be refreshed, according to IDC. We as IT and Security Leaders should take every opportunity we can to get in front of the organization to discuss proper use, latest threats and their role in security.
I’ll end with this, we all must recognize that we need to offer solutions that are easy to work with securely and difficult to use insecurely. That no matter how the data is delivered it is the data itself that needs to be secure enabling you as an IT leader to know where it is and how it has been accessed. Always keep in mind that technology will continue to outpace education, but compliance will demand a well informed and educated user community.