Does the enterprise still have a choice about sharing information?
Last week I was in Bled for the 25th eConference, where I did a keynote presentation on targeted attacks as well as participating in a panel session on "eSecurity: The Evolution and Near Future of Cyberthreats" chaired by ESET Ireland's Urban Schrott. From left to right, that's myself, Urban, Gregor Mustar of ESET Slovenia, and Milan Gabor of Viris.
I'll be making some of the material I generated for the conference (including both the panel and my keynote presentation) available in the near future. However, after my keynote presentation, I was interviewed for Slovenian television and asked whether it's still possible for business to keep its data private. Or words to that effect: since it was a spontaneous and unscripted interview, I honestly can't remember the exact wording of the question, let alone of my answer. Still, it's an interesting question, and perhaps it would be useful to answer it again here.
Businesses (and indeed public sector organizations) are nowadays often caught between the proverbial rock and hard place. On the one hand, the guardianship of personal data relating to both staff and customers may be strictly regulated by legislation such as HIPAA, the European directive on data protection, and so on. Consider, for example, the increasingly harsh fines visited on healthcare organizations in the UK by the Information Commissioner's Office, when data for which they are responsible is lost or shared inappropriately. On the other hand, the sharing of information is in itself a business process: not just PR-oriented information about products and services disseminated through such notoriously leaky resources as Facebook and Twitter, but data whose availability is required under legislation relating to the freedom of information. Is it surprising that staff members are sometimes confused about what to share and what to restrict?
There's more to this than the complexities of contradictory legislation, though, daunting though those complexities are in themselves. With the expansion of the organizational perimeter to include the BYOD (Bring Your Own Device) generation, even those whose work doesn't include direct communication with the public and the media are finding it harder to differentiate between communication on behalf of their employer and what they undertake purely for themselves. Similarly, they find it harder to draw a line between data they own themselves and data owned by the company. When I first crept into the IT industry, even further back than the first Bled eConference, information workers were largely limited to what corporation information they could access from dumb terminals or terminal emulation software, and few people had an Internet connection of any sort at home in those pre-web days. Now we talk about private clouds, but it's much harder for the organization to maintain confidentiality from the centre when every smartphone and tablet is a terminal. It's as if we live our lives distributed over multiple devices, and in the work context those devices are a window into a private cloud. But all too often, those windows are transparent in both directions.
It occurs to me that speaking about security at a conference (or indeed a show like Infosec) like this where the main focus is enhancing generalist communication rather than security isn't always the easiest way to make friends and influence people: after all, security is almost invariably seen as a brake. However, there was more than enough interest in ESET's contributions to reassure me that there are plenty of people who realize that you need a brake as well as an accelerator to drive safely.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow