Sharing versus Security: Driving without Brakes

Last week I was in Bled for the 25th eConference, where I did a keynote presentation on targeted attacks as well as participating in a panel session on "eSecurity: The Evolution and Near Future of Cyberthreats" chaired by ESET Ireland's Urban Schrott. From left to right, that's myself, Urban, Gregor Mustar of ESET Slovenia, and Milan Gabor of Viris.

 I'll be making some of the material I generated for the conference (including both the panel and my keynote presentation) available in the near future. However, after my keynote presentation, I was interviewed for Slovenian television and asked whether it's still possible for business to keep its data private. Or words to that effect: since it was a spontaneous and unscripted interview, I honestly can't remember the exact wording of the question, let alone of my answer. Still, it's an interesting question, and perhaps it would be useful to answer it again here.

Businesses (and indeed public sector organizations) are nowadays often caught between the proverbial rock and hard place. On the one hand, the guardianship of personal data relating to both staff and customers may be strictly regulated by legislation such as HIPAA, the European directive on data protection, and so on. Consider, for example, the increasingly harsh fines visited on healthcare organizations in the UK by the Information Commissioner's Office, when data for which they are responsible is lost or shared inappropriately. On the other hand, the sharing of information is in itself a business process: not just PR-oriented information about products and services disseminated through such notoriously leaky resources as Facebook and Twitter, but data whose availability is required under legislation relating to the freedom of information. Is it surprising that staff members are sometimes confused about what to share and what to restrict?

There's more to this than the complexities of contradictory legislation, though, daunting though those complexities are in themselves. With the expansion of the organizational perimeter to include the BYOD (Bring Your Own Device) generation, even those whose work doesn't include direct communication with the public and the media are finding it harder to differentiate between communication on behalf of their employer and what they undertake purely for themselves. Similarly, they find it harder to draw a line between data they own themselves and data owned by the company. When I first crept into the IT industry, even further back than the first Bled eConference, information workers were largely limited to what corporation information they could access from dumb terminals or terminal emulation software, and few people had an Internet connection of any sort at home in those pre-web days. Now we talk about private clouds, but it's much harder for the organization to maintain confidentiality from the centre when every smartphone and tablet is a terminal. It's as if we live our lives distributed over multiple devices, and in the work context those devices are a window into a private cloud. But all too often, those windows are transparent in both directions.

It occurs to me that speaking about security at a conference (or indeed a show like Infosec) like this where the main focus is enhancing generalist communication rather than security isn't always the easiest way to make friends and influence people: after all, security is almost invariably seen as a brake. However, there was more than enough interest in ESET's contributions to reassure me that there are plenty of people who realize that you need a brake as well as an accelerator to drive safely.

ESET Senior Research Fellow

Author David Harley, ESET

  • Vicki

    Oh, David, I have had many conversations on the issues of privacy & security and it always seems to fall on deaf ears.  I don't get it.  People on Facebook willingly give up their personal info to Apps and the site itself.  You wouldn't catch me on Facebook in a million years although I did have an account a long while ago, but I hated the way they kept changing my privacy settings and those darned Apps wanting to access your data is just terrible.  Face Recognition software bothers me, too.  Apparently, Skype now lets people know when you are online so they can just p/u the phone and call you and, quite frankly, I find that to be extremely invasive.  Plus, people now can find out what websites you visit and on and on and on.  I love my ESET software and you are so right that there are some people out here who DO "realize that you need a brake as well as an accelerator to drive safely".  Very well put.  I just wish more of my friends would heed my warnings about the "Cloud" and some of the very risky behaviors they use on their very expensive hardware and software.  Thanks for a great article and have a great week.  Warmly, Vicki

    • David Harley

      Thanks, Vicki. As I understand it, Skype does default to showing that you’re logged in, but has some alternative status settings including an ‘invisible’ setting whereby you can use the service as usual but it looks to your contacts as if you’re offline. I hardly ever use Skype, but I sometimes use an equivalent setting when I don’t want to be disturbed by a chat program. Online services, however, seem to insist that I either tell you I don’t want to be disturbed or that I lie about being online, and that does seem a small but significant reduction in privacy. After all, if I don’t pick up my phone, that’s not telling a caller anything about me except that I didn’t answer the phone. I guess most people don’t care about that.

  • Svetlana

    Breaks – yes, using breaks that's a good think. But don't you think that it's more important that this doesn't mean we'll get off the car…And most importantly where we are headed to regardless of whether or not we drive fast or slow…

    • David Harley

      Hi, Svetlana. You’re absolutely right: to be useful, the car needs a driver who knows how to use the brake, the accelerator, and the steering wheel properly. Security for its own sake is counterproductive when it blocks core business processes instead of enabling them. I used to have a boss who, when he talked about the famous CIA triad (Confidentiality, Integrity, Availability), always said ‘and the most important is availability…’ He was essentially right, but the trick is to ensure that data is available only to those who are entitled to it.

      This extended motor car metaphor is starting to make me feel travelsick. ;-)

Follow us

Copyright © 2017 ESET, All Rights Reserved.