Collective Corporate Judgment
Collective Corporate Judgement
Eh'den (Uri) Biber
Security is a perception. The bigger the distance between the perception and reality, the weaker you are. In this article, I will suggest methods of safeguarding employees from generating exposure to the company’s biggest asset – themselves.
Collective Corporate Judgement
Most organizations have an information security awareness plan as companies not only understand it is a mandatory requirement to show due diligence but many of them actually starts the grasp the importance of training their employees to reduce risk of data exposure.
However, almost all of the security awareness programs are inward – meaning – they approach the corporate information as an internal asset failing to understand is that this model is no longer valid. As the employees leave their workspace and head to their homes they shell off their work and become private people. Private? Well, not that much.
There used to be days that people went after work to a local bar and enjoy a friendly evening with people they knew (probably as you read this line there are a big amount of people somewhere on this planet who actually do it). Those days, however, it seems that people come home and log onto their favorite social network which evolved to provide a social platform of interaction with others.
In an article called “Trust and privacy concern within social networking sites: A comparison of Facebook and MySpacei” published in august 2007, the authors have showed that Facebook members reveal more information then MySpace in their profiles (like their private name), but MySpace members were more likely to extend online relationships beyond the bounds of the social networking site. Paradoxically, MySpace had stronger evidence of new relationship development, despite weaker trust results. One of the explanations was that members have confidence in their capacity to evaluate others - which is the root of the danger in social networks and the source of not only possible social engineering, but also via misjudgement the risk of employees revealing sensitive company data, most likely without even suspecting it.
As I mentioned above, Security is a perception. The bigger the distance between the perception and reality, the weaker you are. It is true in all security domains – but it is much more relevant to the human domain. The problem is you can educate people not to leave a door open, or even not give their passwords to someone else. However, you can’t really educate people to have a better judgement, as judgement is a balanced weighing up of evidence preparatory to making a decision. And the weighing up process is unique per person and depends on both social and educational background.
So what can a company do to protect their employees? Would it be wise to block access to social networks? On the one hand it seems like a right thing to do, as you reduce the time people are exposing themselves. However, by doing so the risk does not disappear – it just becomes “invisible”. If you are the CISO and your management asks you to provide a report on the amount of users who, for example, uses facebook – you can not tell their usage pattern if you blocked access to the site.
My suggestion to tackle social network risk is by a concept I will call collective corporate judgement. The idea is to develop a mechanism that will allow employees to access to social networks during working hours and via training encourage them to protect each other – hence protecting your company asset.
Obviously, a “standard” user awareness program will not fit. Employees should be allowed access to social networks only after passing a dedicated certification process. For the sake of this article, let’s call the certification process CFSN – Cerfified For Social Networks. Employees who will successfully pass the certification exam will be granted access to social network during working hours. The basic idea is simple – Motivate the employees to educate themselves by giving them the opportunity to do something they want to do.
Some points worth being considered for training:
Get management support. Explain the risks the company is facing, the hidden exposure and the possibilities to tackle it.
Involve HR and legal. Ask your legal department to define a legal framework for the training, monitoring, and all enforcement measures. Also, Human Resources (HR) must be highly involved - I can not stress enough the importance of HR involvement in such project - Remember – this is not about technology, it is about people.
The main theme of CFSN should be: The organization views the employees as its biggest asset, and as such, it want to help them be protected.
Communicate that accessing Social networks should not disturb the duties and responsibilities employees have, and that all their actions will be closely monitored. The access to those sites will be of course monitored and will need to be approved on a monthly basis by the employee’s manager.
Employees need to take into consideration that any information provided on the social network should always be viewed by the wider effect it has both on them and on the company. Howard Schmidt (who held important security positions at the US Department of Homeland Security, the White House, eBay, Microsoft, the Air Force and the FBI) saidii he is surprised how people voluntarily expose sensitive information like their vacation schedule and their destination on their facebook profiles, not taking into consideration the information can be easily used to break into their homes.
Turn the employees who were trained to be your become your company new security experts – encourage those employees to make sure that other employees will not expose sensitive information.
Create a process that will allow trained employees to report back anonymously on possible incidents – and then embrace the violator by educating them via training. Reward employees who inform such events and reward employees who removed sensitive information and passed the CFSN training. To many of the people who work in the security domain the last paragraph is painful to read – many of us have a tendency to own “shoot now, talk later” attitude when it comes to handling security incidents. However, security experts must realize that the human domain is a domain which we are most likely not an authority in. As I said before – let HR handle it, and if needed, proceed with legal action against employees who did not responded to your requests.
Trained employees who will be exposing sensitive information will be prohibited access to the social network until the event will be investigated by a predefined process (employee manager, HR and the security organization).
The more employees you will have that will join the program – the more visibility your exposure risks will become, and, with the active assistance of the employees themselves – there will be a constant corrective mechanism to reduce the level of information exposed
Communicate your findings on a periodically bases and let management take ownership of those findings.
Social networks are not going to disappear but more likely will evolve in different directions and be extended in both technological and interpersonal manners. I suggest an approach of handling a possible wrong judgement should not by trying to make sure everyone has good judgement – which could be an impossible target – but by making sure employees will chaperon each other – hence creating a collective corporate judgement mechanism to reduce the risk.
i Dwyer, C., Hiltz, S. R., & Passerini, K. (2007). Trust and privacy concern within social networking sites: A comparison of Facebook and MySpace. Proceedings of AMCIS 2007, Keystone, CO. Retrieved September 21, 2007 from http://csis.pace.edu/~dwyer/research/DwyerAMCIS2007.pdf
ii 18th of March 2008, in "An evening with Howard Schmidt on Information Security" event, ISSA Belgium
Suffix
The article above was written in March 2008. It was submitted it to most security publication. With the exception of one positive reply that asked me to cut it by half and make it more technical I had not received any other comment or reply. I felt the security world is not ready for new approaches, so I sent the article back to the drawers, and waited.
Three years later, the world seems to be a different place. Everyone have facebook presence: individuals, companies, NGOs, even governments. I hope that now people will start to realize that we live in a different world with different rules, and that we must adjust to them in order to preserve our privacy.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.