Want Better Security as a Business? Start on the Personal Level

When Michael Jackson sang the line “I always feel like somebody’s watching me” in Rockwell’s 1984 chart-topping single, neither of the singers had Facebook, the NSA or even Big Brother in mind. (What was the equivalent of Facebook in 1984? Oh, right — nothing.)

Yet as silly and trivial as these lyrics might’ve seemed back then, they represent our collective consciousness today, a truth about our perpetually connected, technology-ridden society that most rarely question and some even revel in — well, at least until they realize their house might not have been burgled had they not told everyone on Facebook they were going on vacation, or they might not have lost their job over a confidential file they unwittingly copied to a mobile device.

We are being watched these days, by people known and unknown, whether we like it or not. The professional has become personal, and the personal has become public. Sure, the problem of security and privacy goes back well before social media was deployed. It goes back before Amazon started tracking your online purchases and using business analytics to tell you what to buy next. It goes back even before that ridiculous “brick” mobile phone and the Internet — back before even 1984. Yet all of these factors (and more) have exacerbated the issue. We’re losing any semblance we might’ve had of what we considered to be personal privacy, and business security is speeding toward oblivion in tandem.

“It’s always been a ‘notion’ of privacy,” said Bob Larrivee, director and industry advisor at AIIM. “But the old problem has new tools. We face the same issues we would’ve had without Facebook, LinkedIn and Twitter, but since we now have more ways of sharing information, they become more of a challenge to address because you have to look at all these different venues and say, ‘What kind of governance should we have over these things?’”

We clearly need much better management and control over the spread of personal and professional information now that we find ourselves in a time when stealing trade secrets to run businesses into the ground is literally child’s play (you must’ve heard of at least one teen who’s made the news for cracking code by now) and it’s likely that a carrot has enough smarts to slip into our e-shoes any day of the week. “We used to say in the security world that if you’re in business, you have to assume that you’ve already been hacked,” said Dave Westlake, chairman, president and CEO of Print Command. “Now, because of evolving threats, you have to assume the same as an individual as well. There’s an endless list of examples of privacy and security being compromised in every (type of circumstance).”

Unfortunately, instead of inspiring people to view perpetually looming breaches with concern, news like this is more often greeted with apathy. “Privacy is something that seems to be important only to a limited number of people — a shrinking number of people at that,” said Todd Thibodeaux, president and CEO of CompTIA. “People may have been nervous at first, but they quickly realized that there didn’t seem to be a whole lot of consequences for having a lot of their information out there.”

But whether or not there are immediately apparent consequences, the reality is that most eventually pay some sort of price for releasing information — or even just failing to log out correctly. The stakes have never been higher not only with respect to the ease with which information can be accessed, but also with respect to the kind of information someone can obtain and use against another, meaning that repercussions could contain themselves to a single individual or spread across an entire company and take it down.

And this will ring even truer as the “bring your own device” (BYOD) movement becomes less of a movement and more an everyday way of life. Take the Gartner statistic that indicates that by 2017, half of all employers will actually require their employees to bring their own devices to and for work. Add to that a dash of personal indifference or even flat-out defiance regarding privacy and security, and you’ve got a recipe for disaster a-brewin’. “With devices being more interconnected and our information going mobile and into the cloud, privacy and security are going to become increasingly difficult to achieve,” said Dave Kleidermacher, CTO at Green Hills Software.

The wild card in the equation — people and their individual choices, whether careless or cautious (keeping in mind that the way a person does one thing is usually the way he or she does everything) — ultimately makes a business … and will be able to just as easily break it.

Don’t believe it? Two words: Edward Snowden.

“Without some adherence to security and privacy, you can’t have a business,” Westlake said. “If you’re transacting business, you’re dealing with sensitive data, and if you’re not locking down your network and not covering all the gaps in security coverage — and, mind you, there are numerous exploitable gaps in every network — then you’re putting your clients and business at risk.”

This means we need to start caring, from the individual level on up, about security and privacy if we don’t already. It means we need to fight harder than ever for both. It means we need to be more aware of what we do and make smarter choices in the future. Our companies, our jobs, our bank accounts — our entire lives depend on it.

Just an average man with an average life … and an unreasonable amount of access to valuable information

Employees of all ranks and reputation are being granted access to a wider variety of company information these days, which means that at any point in the information life cycle — creation, management, delivery, archiving, etc. — that data is more at risk of being tapped inappropriately or used improperly.

Therefore, the types of threats to security that employees pose today are further-reaching than ever — sometimes deliberately, though oftentimes not. Corporate espionage — the intentional type of security breach — is far less common than a confidential email arriving to the wrong person’s inbox or a folder containing sensitive information getting left behind on a plane. As Thibodeaux pointed out, “human error is still the biggest challenge in all of this.”

Oftentimes it’s that human error that accidentally opens the door to more dangerous predators. Say your office disposes of a chunk of files in one fell swoop, throwing a ton of papers en masse into the public dump without reviewing them first. This is what Goldthwait Associates, a medical billing company that was bought out in 2010, did — to thousands of confidential patient records (as detailed by Liz Kowalczyk in her Boston Globe article “Patients’ Files Left at Public Dump”). What might’ve happened if a criminal got to this information before a reporter?

Or say you hop onto the unsecured Wi-Fi network at your local coffee shop to check your work email. You were only on it for a minute; couldn’t do much harm, right? Wrong. It only takes one quick interaction in the wrong location with the wrong person watching to begin a malware attack that launches once you reconnect to your company network.

How about that awful wrenching in your gut when you realize your smartphone isn’t in your pocket, your desk, your car or your home? Even though you didn’t mean to, you’ve essentially become a gateway for a hacker who now walks, talks, types and looks like you from a network perspective. Any unattended device — in or outside a work environment — leaves business information vulnerable.

In all these cases, whether an employee made a simple mistake or was specifically targeted, the safety of business data was jeopardized, making it pretty clear that the roles employees can play when it comes to compromising the security of the companies they work for are virtually endless. And once that happens, “(t)he only limits on the impact bad guys can have on an organization is the extent of their collective imagination,” Westlake said.

And this says nothing of your personal data. After all, it’s unlikely in this BYOD era that you’re using your phone, tablet or laptop strictly for business. Your data is often commingling with company data, and that’s a different kind of threat altogether. “Corporations may have a strong focus on protecting enterprise information, but protection has to be bidirectional,” Kleidermacher said. “Individuals have to fight harder to attain or keep any semblance of privacy, and it’s equally as important — if not more important — to corporations that they’re not liable for personal data on devices.”

With so many professional and personal loopholes to consider, how can security and privacy possibly be achieved?

How to bolt the door real tight as a company

Company security and personal privacy both begin with a foundational awareness of the current state of affairs in and outside the professional sphere, and the most successful campaigns to ensure data safety take a holistic, bird’s-eye approach to the matter. Westlake suggested going beyond addressing gaps in network security and also zeroing in on two additional areas of vulnerability: gaps in intelligence and gaps in support.

“What I would suggest organizations do is look at their entire security posture and ensure they’ve identified and addressed all of the different potential entry points into the network,” Westlake said. “You’ve got to address all of them to make sure that you’ve deployed a sound security strategy. Start closing off the ones that are most likely (to be)  or most vulnerable to being exploited as attack vectors and slowly work your way to the point where you’ve closed all of them off.”

To achieve this requires not only reactive repairs but proactive, strategic planning — because it’s not just the tools, but again, the people as well that present a risk. “You have to know what type of information you’re dealing with and what your constraints are, whether they be regulatory or simply industry guidelines in relation to compliance,” Larrivee said. “But share this information with people. Teach them what they need to know. Figure out how you’re going to move information through the organization safely. At the same time, try to figure out any process improvement that can be made. The more you can standardize and automate things, the better off you are, because you get consistency and better control.”

As Larrivee implies, security policies and procedures shouldn’t just keep protection in mind, but also processes and business culture. “A fundamental challenge in many organizations is that they look at privacy and security as being business drivers for doing some things and try to deal with the matter from a pure technology standpoint,” he said. “They don’t necessarily think about the culture or process related to all the elements that have to go into place to manage things properly.” Once these elements are thoroughly considered, then the right tools and procedural changes for your company can be implemented.

When companies think of security tools, the first things that spring to mind are often antiviruses, firewalls, mobile device management (MDM) software and the like, but businesses need to look beyond these types of reactive solutions that merely patch flaws in other devices. Kleidermacher recommended taking a proactive look at those devices and tools you use on a regular basis. “For the technology providers building the cloud, mobile devices and all these applications, your personal privacy is not No. 1 on their list, so fundamentally, you have to take things into your own hands,” he said.

Larrivee agreed. “Organizations need to make conscious decisions. There are a lot of great tools out there to be used, but they also present, in their own rights, some unique risks. It’s very difficult to teach people how to be different, but I think part of developing adequate security is showing them the pros and cons of each technology.”

Take file collaboration, for example. It’s the latest rage in doc management technology, but is it secure? Does the file reside in a single place, or are there multiple copies drifting around, opening the door to risk (not to mention workflow disruption)? Is the document encrypted, or does it require a password for access? Are there any monitoring or auditing mechanisms to prevent or track copying of the file? Is there a self-destruct mechanism built in so that in the event that the document isn’t handled in a timely fashion, it’s not sitting around idly, waiting for prying eyes to spy it? And is the file stored somewhere securely during this process as well as once the finished product is created? “First and foremost, you should have a document policy determining what level a certain document is at and what level a certain type of information falls under,” Thibodeaux said. “At what level does it need to be managed? If a company is not using a system and is primarily having people work on documents locally, then distribute them out to lists, that’s the place where mistakes happen.”

Or consider mobility and BYOD. From a security perspective, it’s really easy to see how that “D” can turn from “device” into “disaster.” “The smartphone has enabled shenanigans,” Thibodeaux said, “so companies should be very clear about how employees are supposed to operate remotely” — from the use of passwords to log in to devices, the permission (or lack thereof) to store those passwords, the timing out of a device if left unattended for a certain period of time, the utilization (or limitation) of remote desktop software and applications, and how (or even if) a device is allowed to connect to the network.

But this doesn’t take into account one other important aspect of mobility when it comes to security: how a device can interact beyond a user’s work applications. Mobile devices can have USB ports, cameras, audio-recording capabilities and other connectivity mechanisms that could be exploited. “A company needs to have the ability to control how those various data management/input-output devices are going to be used,” Kleidermacher said. “For example, when you’re in my corporate building, I may want your camera disabled. There are a handful of policies that need to be engaged to control and manage the most obvious ways that information can be compromised via device.”

And since, according to a Kensington infograph, 70 million smartphones alone were lost in 2011 — and this number doesn’t even include stolen devices — it’s important that every company using mobile devices for work purposes have a process for disabling a lost device so that, even if the device carrying the information is gone for good (which is likely), the information it contained is encrypted or otherwise secured.

Finally, managing what one can of the other human element jeopardizing security besides error — curiosity, which keeps wandering eyes wandering and loose lips flapping — will help any company better achieve its security goals. “From a security perspective, I suspect far more harm is being done from a lack of personal discretion in situations than we think,” Thibodeaux said.

Tell me, is it (security) just a dream?

People by nature are curious about their world and the people in it. This is what led us to figure out how to start fire, forge wheels and grow food. But it’s also what leads some to steal millions, crash systems and blackmail people. And we can’t lose sight of this.

But with so large an intersection between the personal and professional — and so many mistakes (or even deliberate moves) that can be made in the course of an average day of data handling in our digital world — is keeping anything private or secure an impossible dream?

Perhaps the goal isn’t really failproof security — truly a figment of the imagination — but improved security.

More important than this goal, however, still appears to be getting businesses to care about improving security in the first place and getting people to care more about the repercussions of their individual actions. Even as our world grows more dangerous, we all around seem to be growing more and more lackadaisical. “If we had not had the regulatory push, I’m not sure that we would’ve seen businesses be any more ardent about protecting their information,” Thibodeaux said. “We do an annual cybersecurity study every year, and every year, people tell us they’re going to commit more resources to policies around security, but they never do it.”

What’s it going to take for us to take privacy and security more seriously? From a business perspective, Kleidermacher believes it all boils down to the almighty dollar. “What we need to do as technologists is find how security solutions provide business benefit. If not coupled with a reduction in total cost of ownership, it’s not going anywhere.”

Westlake thinks it might take something a bit more dramatic than a compelling TCO. “I fear it’s going to take some cyber-9/11 to make people more vigilant,” he said. “Right now we see very slow adoption toward what the security community would consider a legitimate level of cybersecurity.”

From a personal perspective, there is no easy answer. Just like the companies they work for, most people need to be sorry first to be safe later, unfortunately.

For those of us who do already care about our personal privacy and see the implications of what we do on all we do, we can still be more cautious with managing our information — using passcodes on our phones, keys on our filing cabinets, and common sense when posting on our social media sites and sending emails.

Larger change? Well, we may have to write our vendors, solutions providers and even our government representatives. “From an individual perspective, whether in a consumer mind frame or business mind frame, we must raise our expectations,” Kleidermacher said. “We need to demand a higher level of technological solutions to this challenge of privacy and security.”

In the end, we will get those things we fight for the most. Let’s make sure they’re the right things, like a paycheck and protection, rather than today’s equivalent of Rockwell’s fate: 15 seconds of fame on Facebook.

Sidebar: What does your personal privacy strategy look like?

WESTLAKE: I start off by acknowledging the fact that I’m not going to be able to stop 100 percent of every potential threat, so I give myself the best footing possible. I encrypt what I can on multiple levels. I also make sure that when I am on a public network, none of the private information that I wouldn’t be OK with someone else seeing is visible in any way through my connection. I’ve got multifactor authentication within firewalls and updated certificate protocols that secure intra-OS application communication. A few years ago, this would have seemed over the top; nowadays, not so much. Security is one of those things we can’t compromise on.

THIBODEAUX: I have a cheap credit-monitoring service to keep track of what’s going on. It’s well worth the money. People should be monitoring their credit card transactions. A personal lock code on your smartphone is a must. Many people still don’t have passwords on their Wi-Fi networks at home. There are people who drive around neighborhoods looking for open networks, and then they sit there, monitor traffic, do keystroke capture, and look at emails and any confidential personal information that people are stupid enough to save there. You could get hit pretty hard if someone got your PayPal password because most people have their bank accounts attached to PayPal. Someone could be making purchases that you would have no way of getting liability return on versus your credit card. The thing that could hurt you the most is financial.

KLEIDERMACHER: Maybe because I’m in the security world, I tend to be more conservative with how I use technology than some, but I’m not extreme. I know enough to be paranoid, but I still use some of those services; I just use them intelligently and conservatively. I know some who refuse to have any information on the cloud. I have a Facebook account. I don’t have thousands of friends. I have a reasonable amount; all are real friends and family. If I’m going out of town, I never post anything related to my trip until I’ve returned. The way I view today’s cloud — and I think the way everyone should view it for the foreseeable future — is, assume absolutely anything you post or send to a cloud-based service is public information. If you have that mindset, you’ll make smarter decisions.

LARRIVEE: I look at today’s technology and say, “There are certain things I should be keeping to myself,” and I only select a few members of my family to personally tell. Basically, just follow what your grandmother and parents taught you: If you think it’s something that would be offensive to your family, then don’t say it. Don’t put it on social media or in an email. If you don’t want your mother to know what you said, then don’t say it. At the same time, there are things that I would and do share with friends, family and so on. Before hitting “send” or posting, you really have to look at it and ask, “Is this something I really want the whole world to know?” because potentially, they could now. And if it’s not, you shouldn’t be putting it out there.

This article originally appeared in the December 2013 issue of Workflow