A few weeks ago I was riding up in the elevator at a client site, when I overheard a conversation taking place between a couple of co-workers. The topic was related to bringing your 9th grade child to work for a day. Now, we think these kind of events are fabulous – and are a great way of providing the child with an insight into what takes place between the parent walking out the door in the morning and returning home at supper time. However, in this case the conversation for me at least was a little alarming.
To provide some context, our client doesn’t allow access to social networking sites via the corporate IT infrastructure and, given the unregulated environment of most social networking sites, we certainly have sympathy with that. However, this proud mother was explaining that within 10 minutes of her leaving her 14 year old son alone at her desk, he had managed to log himself into his Facebook page and was in chat mode with a number of his school friends using the corporate PC.
Not too long ago IT security was a simple affair and little attention needed to be paid to the threat from the average 14 year old. The IT team established a secure perimeter around the system leaving the computers inside the firewall safe from harm. Locked-down desktops (that stop users installing their own software), anti-virus software, limits on the size and type of e-mail attachments were all part of the defenses; USB sticks were expensive and unreliable.
Today, workers are taking IT into their own hands. To get the work done they use their own Smartphone’s, netbooks and other digital devices. Plenty of malware, meanwhile, enters corporate networks through unsecure links shared carelessly on social networks. “The IT guys have been told to do one job, so they lock things down and rule out the use of applications such as Google docs. And the workers are told to do another job, to get their work done, so they start using Google docs, and the power balance is moving away from the IT guys,” says Josh Klein, co-author of Hacking Work, a guide on how to “break stupid rules for smart results”.
According to a survey by networking firm Cisco, 41% of workers break corporate IT policies, saying that “they need restricted programs and applications to get the job done – they’re simply trying to be more productive and efficient”. Frankly this is the biggest current threat to information security and it is a culture clash.
Young people today are much more IT savvy and have different expectations around the use of IT and applications. The whole concept of apps is to make life easier so why would this not apply in the workplace? Mobile devices are increasingly being targeted, says internet security firm McAfee in its most recent threat report.
Then there are USB thumb drives, cheap and “very dangerous,” says Hubert Yoshida, chief technology officer of Hitachi Data Systems. “Wireless connectivity through Bluetooth is another of many avenues for attack.” Then there’s the web, teeming with malware as clever criminals monitor Twitter and Google looking to establish their next scam.
Ultimately, corporate IT security is not about better IT policies and compliance, not least as “the time spent between work and personal lives has blurred,” says Marie Hattar, vice president at Cisco.
“It has to be about protecting users while they are on social networking sites, not preventing them from social networking,” argues Dr Paul Judge, chief research officer at Barracuda Networks. His company estimates that about 30% of all Twitter accounts are suspicious and not used for what they are supposed to be used for.
Companies need to protect themselves and to ensure that no malicious applications are entering the corporate infrastructure.
One thing is certain in the clash between productivity, getting stuff done, and information security, progressive companies need to get a grip and find an appropriate balance. As the fortress of IT security lies in ruins and as the amount of data we generate grows exponentially, this issue is not going away.
Take a look at the information security practices in your team. Are you feeling comfortable?