Social Media and Security
Last week, I posted on thoughts about where organizational cyber-security responsibilities should be assigned. This week, I want to look at the organizational risks associated with social media.
The country seems to be all in a dither over the use, by Cambridge Analytica, of the personal data of millions of Americans (as collected by Facebook) in support of President Trump’s campaign in 2016. I find that mildly amusing because there were no laws broken by Cambridge Analytica in either acquiring the data or in using it (which begs the question of whether or not there should be such laws, but that’s above my pay grade). Even beyond the fact of the legality of Cambridge Analytica’s efforts for President Trump, the same kinds of analyses were used by President Obama’s campaigns in 2008 and 2012. In fact, the man who developed the idea of leveraging “Big Data” for use by political campaigns (at least as asserted by a book I read and the title of which I cannot dredge up) was Joshua Gotbaum. Serendipitously (and why I remember Josh’s name), I actually worked with him while he was the Assistant Secretary of Defense for Economic Security back in ’95 – ’96. He’s a seriously smart and honest guy. I have a lot of respect for him. The point, however, is that bulk mining and use of personal information has been going on, quite openly and legally, for over a decade.
How can it possibly be legal for Facebook (or any app) to sell your personal data to a third party? The answer is really simple – you gave them that permission when you checked the “I Agree” block on the Terms of Service associated with the app when you opened your account. Surely you remember those dozen or so pages of small type that were saturated with wherefores and to wits and other legalese. You don’t? I’m shocked! Well, I only started reading them when I joined Doc Serls’ Vendor Resource Management (VRM) online group and became aware of the dangers. ‘Nuf about me.
Now, let’s add the intrusiveness of social media to the increasing number of organizational policies that allow employees to use their personal digital devices at work – known as BYOD (Bring Your Own Device). All of a sudden, we have personal digital devices being authorized to join secure organizational networks – personal digital devices that are subject to tracking (e.g. MapQuest’s mapping app’s default condition is to track you and collect data on you whether or not you are using the app) and data collection. The firewalls and VPNs that your cyber-security guys have labored so hard to construct and implement have just been bypassed (albeit, some cyber-security guys may have implemented sophisticated network protocols to keep organizational data protected, but that’s really hard if employees are still authorized to use their own devices for work projects).
So now, you have employee-owned digital devices inside your firewalls and operating on your VPNs. Are those employee-owned devices secure? Do your policies require some specified level of security? Do they keep their devices current with the latest OS and app security updates? How do you know?
As leaders, we need to be aware of the complexities of ideas like BYOD and the ramifications at the second and third (and lower) levels of impact. The advantages of BYOD are significant and should be, at least, considered. But the risks are also significant and it is imperative that your cyber-security team should be collaborating with their IT brethren to make your cyber security as strong as practical (and as easy to maintain as possible). I’ve noted repeatedly in the past that “all moving parts are connected to all moving parts.” That also applies (it seems to me) to the “movement” of ones and zeroes.
Finally, everyone in the organization needs to fully understand the importance of cyber security and understand the importance of his/her personal responsibility in establishing and maintaining a secure cyber environment. Well over half of all cyber intrusions result from employee non-compliance with organizational cyber-security procedures.
Related: Participate in the 3rd Edition IT Resiliency Planning Assessment Study
What are the current trends in IT Resiliency Planning and how are the most mature programs achieving success? This study compiles information from IT professionals around the globe and facilitates data-driven crisis management.
The Firestorm Analytical Solutions IT Resiliency Planning Assessment Study is used to assess how organizations are approaching their IT/DR/Resiliency programs. The study is now open for participation and will close May 25, 2018.
Who should participate?
• Participants must be responsible for contingency/resiliency planning.
• Study accommodates planners to global manager
• Study does not accommodate professionals who provide consulting services.
• Study participants will receive a complimentary copy of the study findings.
• Study questions and assessment of data is completed by an International Benchmarking Advisory Board
• The response is immense, driven by the value the results provide.
• The scope is world-wide, due to extensive contacts and partnerships.
• The company is independent, neutral party and completely confidential – individual contact and company information is never shared outside of Firestorm.