The convergence is upon us all; this influx of technology intermingled with information infused now in every possible facet of our business and personal lives. We live in the presence of infinite possibilities through technology. Business is being propelled into new trajectories never before possible. Out social spheres and human interpersonal interactions have all been augmented by the ever accelerating technological reality. While our brave new media world is evolving and pushing forward, there is a common denominator that is struggling to keep up. The singular chink in our armor; the weak link in our proverbial chain is much to our collective chagrin is:
The Human Element
This reality is not slowing down. On the contrary, it’s moving exponentially faster. Our challenge as business leaders and individuals; as humans in general, is to intelligently manage this paradigm shift as our technological singularity enters its event horizon.
Together we will explore a particular facet of our technological present, specifically our social sphere, and how as technology leaders we can work toward intelligent management. Our business success and our personal preservation depend on it.
Let’s examine in brief detail these facets:
- Social Media: personal and business transformations.
- Marketing Madness: the perils and pitfalls of new media management.
- Intellectual Property: new concerns about user created content.
- Corporate Governance: creating and updating policies and procedures.
- Code School: secure coding and minimizing risks.
- Legal Landscape: the evolution of global laws and regulations.
- The Security Trifecta: sage advice in the real-world.
From the top
It happens so often we almost take it for granted. A company is breached and customer data is stolen soon to appear on some Darknet market for sale to cyber-criminals anywhere. All too often it is the unfortunate result of access credentials being stolen and used to infiltrate the corporate defenses. This reasonably low-tech attack to our corporate bastions is only successful because it depends on human nature. This social engineering or more poignantly, human hacking inevitably leads to enterprise compromise.
A simple key click on a phishing message to your average employee could very well allow the Trojan’s right into the heart of your business operation and ultimately do immeasurable damage to your brand, your company and your life.
Case in point: the December 2013 Target Corporation breach. The catalyst for that breach began with a simple phishing email message to a third party business partner, in the Target case, a low-tech HVAC company. Credentials harvested there in combination with publically available information about Target Corporation vendors and inadequate internal security architecture spawned the largest recorded data breach of all time.
It is generally acknowledged in the security community that Target has a robust information security program although I would disagree given that they 1) do not have a CISO and 2) information security reports up through the CIO which is an instantaneous conflict of interest and 3) proves that Target does not actually take security seriously. Target is of course, PCI certified so why did Target fall victim to the typical and far too common low-tech attack vector of spear phishing?
It is still amazing, but always predictable, that the weakest link is going to be human nature. Our natural tendency to share, to trust, to disclose is also our Achilles Heel. The same behavior is what fuels social media and also fuels social discourse across the globe.
It would be natural for anyone to develop a sense of despair given the seemingly at-will occasion than cyber-attacks and identity thefts are taking. The reality can be something quite the opposite. Through an intelligent application of governance, technological enforcement and vigilance we can indeed dramatically increase our effectiveness in protecting our businesses and our personal privacy.
Who is behind data breaches?
While Target may be doing many of the right things for security, they are obviously not perfect. Information security is an evolving pursuit and there is no such thing as absolute security. According to the United States Secret Service, 96% of all breaches could have been prevented through the proper application of simple or intermediate level security controls. That is a statistic that should give us all hope.
No Borders, No Boundaries
The Internet was conceived with the intention of making communications and transactions easier; mission accomplished. To many people, the Internet and Internetworking appear to be totally open without controls and without consequences. It is as if the world no longer had countries, borders, or boundaries in place to enforce a local set of standards for its citizens.
The reality is quite different. Our networks are all built on systems of control. They all have boundaries. We have the ability to technically enforce these controls between a state of no control and total control. We establish control to eliminate risks and to facilitate opportunities. When considering risks, these come in the form of human conduct and technological malfunctions. The technological facet consists entirely of technological applications that break down for some reason or that is out of our control and ability to predict. The human element is by far the most dynamic but also the easiest to predict. There are some fundamental attributes to consider when you examine this challenge. Just like you see in American police shows, these are the Means, the Motive, and the Opportunity of the individual or the MMO.
For example, cyber-criminals are increasingly sponsored by governments or criminal organizations now. Under this situation, criminals are provided with the resources they need to wage cyber-war against some external entity. Where once the motives were notoriety, now they are for profit and espionage. Cyber-crime and Cyber-espionage has become a business and not a novelty pursuit for the technologically talented.
The opportunity for these events to occur increases exponentially with the complexity of our technology systems, networks, and applications we implement. This condition is exacerbated when the same systems fundamental underpinnings are not maintained adequately. New threats are being discovered regularly and new countermeasures are keeping pace; but only if we maintain these countermeasures. Fortunately we are not alone in this struggle. We have similarities and reasons to pull together for the collective good. Our Common Challenge brings us together today.
So what exactly are some of the challenges we are faced with as security practitioners? Only until very recently, information security was considered by most to be just a niche profession or technological process. This scenario has changed completely in just the past ten years.
Information security had been the realm of Chief No Way Officers and other security technologists who only offered barriers to business. The reality is that information security must be transformed into a business enabler instead of the business inhibitor it has the reputation be being. What do we need to do within our organizations to change this negative situation and turn it into something with positive business value? We get there when we enable business by eliminating risks to business. We get there by eliminating the threats to the line of business.
As business leaders, we must embrace information security within our organizations because not doing so poses a potentially fatal risk to our company. As security practitioners, we must be creative and agile in our professions to identify opportunities for improving the overall security posture we are diligently striving for. We must also understand the language of our customers regardless if they are outside of the company or employees of our company. They have a job just like we have a job to do and when we take the time to understand that, when we take the time to listen effectively, we put ourselves into a position to do the most good and to be more effective at removing those business barriers.
Only when we achieve success in this space will we be able to move forward and advance our vital information security mission.
We live in a globally connected world
Once our marketplace consisted of what were predominantly localized transactions and interactions. Now everything has changed. We conduct business with our partners from anywhere around the globe thanks to digital communication networks.
As with any endeavor in this life, our risk exposure potential increases exponentially with our increase in these activities. Not that taking risks is bad or that increasing our potential exposure is a negative thing, on the contrary! We increase our opportunities and potential by taking risks. The best approach is one that is well informed and with our eyes wide open.
A more recent business risk we are faced with today comes in the form of social media. Business opportunities are being explored using new media with various degrees of success. The challenge for everyone is to “look before you leap” into new media making a good-faith effort to increase business value while reducing business risk.
Social Media: personal and business transformations.
Social media platforms have become an increasingly important means for companies to build and manage their brands and to interact with their customers, in many cases eclipsing companies’ traditional “.com” websites. Social media providers typically make their platforms available to users without charge, but companies nevertheless invest significant time and other resources to create and maintain their presences on those providers’ platforms. A company’s social media page or profile and its associated followers, friends and other connections are often considered to be valuable business assets.
But who owns these valuable assets – the company or the individual employee who manages the company’s page or profile? Social media’s inherently interactive nature has created an important role for these individual employees. Such an employee essentially acts as the “voice” of the company and his or her style and personality may be essential to the success and popularity of that company’s social media presence. As a result, the lines between “company brand” and “personal brand” may become blurred over time. And when the company and the individual part ways, that blurring can raise difficult issues, both legal and logistical, regarding the ownership and valuation of business-related social media accounts.
Such issues have arisen in a number of cases recently, several of which we discuss below. Although these cases leave open a number of questions, the message to companies who use social media is loud and clear: it is imperative to proactively establish policies and practices that address ownership and use of business-related social media accounts.
Case in point: a New York case, Ardis Health, LLC et al. v. Nankivell, more clearly illustrates the fundamental point that companies should proactively establish policies and practices that address the ownership and use of business-related social media accounts.
The plaintiffs in Ardis Health were a group of closely affiliated online marketing companies that develop and market herbal and beauty products. The defendant was a former employee who had held a position at Ardis Health, LLC as a “Video and Social Media Producer.” Following her termination, the defendant refused to turn over to the plaintiffs the login information and passwords for the social media accounts that she had managed for the plaintiffs during her employment. The plaintiffs then filed a lawsuit against the defendant and sought a preliminary injunction seeking, among other things, to compel her to provide them with that access information.
Fortunately for the plaintiffs, they had required the defendant to execute an agreement at the commencement of her employment that stated in part that all work created or developed by defendant “shall be the sole and exclusive property” of one of the plaintiffs, and that required the defendant to return all confidential information to the company upon request among other pretty customary stipulations for breach and remedies.
As far as I can tell from the reported decision in Ardis Health, the defendant’s employment agreement did not expressly address the ownership or use of social media accounts or any related access information. Nonetheless, even the fairly generic work product ownership and confidentiality language included in the defendant’s employment agreement appears to have been an important factor in the favorable outcome for the plaintiffs, which illustrates the advantages of addressing these issues contractually with employees in advance
Later in our discussion I’ll review Corporate Governance and how companies can put themselves in an even stronger position by incorporating more explicit terms concerning social media accounts into their employment agreements.
Another case in point: in the interest of analysis symmetry, former employers aren’t always the plaintiffs in cases regarding the ownership of business-related social media accounts. In an interesting twist, another case, Eagle v. Morgan was brought by the employee who alleged that her employer had taken over and started using social media accounts that the employee considered to be personal accounts.
Eagle began as a dispute over an ex- employee’s LinkedIn account and her related LinkedIn connections. The plaintiff, Dr. Linda Eagle, was a founder of the defendant company, Edcomm. Dr. Eagle alleged that, following her termination, Edcomm personnel changed her LinkedIn password and account profile, including by replacing her name and photograph with the name and photo of the company’s new CEO. Among the various claims filed by each party, in pretrial rulings, the court granted Dr. Eagle’s motion to dismiss Edcomm’s trade secret claim and granted Edcomm’s motion for summary judgment on Dr. Eagle’s Computer Fraud and Abuse Act (CFAA) and Lanham Act claims.
Regarding the trade secret claim, the court held that LinkedIn connections did not constitute trade secrets because they were “either generally known in the wider business community or capable of being easily derived from public information.” Regarding her CFAA claims, the court concluded that the damages Dr. Eagle claimed she had suffered — putatively arising from harm to reputation, goodwill and business opportunities — were insufficient to satisfy the “loss” element of a CFAA claim, which requires some relation to “the impairment or damage to a computer or computer system.” Finally, in rejecting the plaintiff’s claim that Edcomm violated the Lanham Act by posting the new CEO’s name and picture on the LinkedIn account previously associated with Dr. Eagle, the court found that Dr. Eagle could not demonstrate that Edcomm’s actions caused a “likelihood of confusion,” as required by the Act.
Eventually, the Eagle case proceeded to trial. The court ultimately held for Dr. Eagle on her claim of unauthorized use of name under the Pennsylvania statute that protects a person’s commercial interest in his or her name or likeness, her claim of invasion of privacy by misappropriation of identity, and her claim of misappropriation of publicity. The court also rejected Edcomm’s counterclaims for misappropriation and unfair competition. Meanwhile, the court held for the defendants on Dr. Eagle’s claims of identity theft, conversion, tortious interference with contract, civil conspiracy, and civil aiding and abetting. Although the court’s decision reveals that Edcomm did have certain policies in place regarding establishment and use of business-related social media accounts by employees, unfortunately for Edcomm, those policies do not appear to have clearly addressed ownership of those accounts or the disposition of those accounts after employees leave the company.
Given the repeated theme of inadequate policy language, Companies should consider clearly addressing the ownership of company social media accounts in agreements with their employees. Considering how vital social media accounts are to today’s companies, and given the lack of clear applicable law concerning the ownership of such accounts, companies should take proactive steps to protect these valuable business assets.
For example, companies should consider clearly addressing the ownership of company social media accounts in agreements with their employees, such as employee proprietary information and invention assignment agreements. Agreements like this should state, in part, that all social media accounts that employees register or manage as part of their job duties or using company resources – including all associated account names and handles, pages, profiles, followers and content – are the property of the company, and that all login information and passwords for such accounts are both the property and the confidential information of the company and must be returned to the company upon termination or at any other time upon the company’s request. In general, companies should not permit employees to post under their own names on company social media accounts or use their own names as account names or handles. If particular circumstances require an employee or other individual to post under his or her own name — for example, where the company has engaged a well-known industry expert or commentator to manage the account — the company might want to go a step further and include even more specific contractual provisions that address ownership rights to the account at issue.
In parallel, companies should implement and enforce social media policies that provide employees with clear guidance regarding the appropriate use of business-related social media accounts, including instructions on how to avoid blurring the lines between company and personal accounts. A cautionary note is that social media policies need to be carefully drafted so as not to not run afoul of the National Labor Relations Act, state laws restricting employers’ access to employees’ personal social media accounts, or the applicable social media platforms’ terms of use.
Finally, companies should control employee access to company social media accounts and passwords, including by taking steps to prevent individual employees from changing account usernames or passwords without authorization.
Now that we have briefly explored the Company-Employee relationship aspect of social media, let’s dig into corporate marketing.
Marketing Madness: the perils and pitfalls of new media management.
We all know how important analytical data is to our marketing efforts. Without usage data or demographics, or logistical data, and that list goes on and on, our marketing campaigns will be disappointing.
There is ample legal fodder for us to endlessly examine and debate the fine line between protecting consumer privacy and legitimate business needs. It’s also a subject that takes on a real hypocritical comparison when you add into the mix what Governments do to invade this space despite prevailing laws enforced on its own citizens, but I digress a bit!
Our technical capabilities coupled with the general penchant for humans to self-disclose are forcing a singularity that we leap towards but lack the prudent prior planning in favor of first to market and early adopters which is so typical in your average product life cycle. Inevitably there will be growing pains as progress drags regulations and protective measures along for the ride.
Case in point: recently, the Better Business Bureau’s Online Interest-Based Advertising Accountability Program issued its first ever compliance warning, a move that is intended to clarify the obligations of websites where data are gathered for Online Behavioral Advertising (“OBA”) purposes.
The result is that operators of such websites are now expected to ensure that consumers receive “enhanced notice” under the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising, and cannot simply rely in all instances on third parties, such as ad networks, to bring the websites into compliance with the Principles by displaying such notice within OBA ads appearing on the operators’ websites. Failure to meet this requirement can result in an enforcement action by the Accountability Program beginning on January 1, 2014.
The Accountability Program’s compliance warning concludes its investigation into whether a number of websites were in compliance with the Principles as they relate to first-party obligations, that is, obligations for websites with whom the consumer is interacting, as opposed to ad networks and others, which are generally referred to as “third parties” in the Principles.
Simply put, this compliance warning makes clear that under the DAA’s OBA Principles, first parties have a responsibility to make sure that consumers are aware that OBA activities are occurring on the website, whether by third parties displaying it in or around OBA ads on the website, or on pages where OBA ads are not delivered, by the first party itself. Since the Accountability Program will start enforcing this requirement on January 1, 2014, websites that allow third parties to collect information for OBA purposes will need to have in place a separate notice mechanism.
First parties can comply with this requirement by:
(1) using a “clear, meaningful, and prominent link” on the website itself (the “enhanced notice link”— this is separate from the privacy policy link, and can be the AdChoices Icon or a text link); that
(2) takes the user to the first party’s disclosure of OBA activity, such as the specific portion of the first party’s website that addresses OBA activity; which itself must either:
(a) point to an industry-developed Web page such as the DAA’s Consumer Choice Page (e.g., www.aboutads.info/choices); or
(b) individually list all third parties engaged in OBA on the website, with links to the choice mechanisms regarding the collection and use of data for OBA for each applicable third party.
Website operators are now on notice that the DAA’s transparency and choice principles for OBA require more than enhanced notice for the delivery of OBA advertisements. According to the compliance warning, the only way a website operator could be in full compliance without providing the information described above is if OBA ads bearing in-ad notice are served on every page of the website where third parties are also collecting data for OBA and, even then, those in-ad notices would have to provide information on all third parties collecting data on the website.
Contractual provisions giving a website operator the unilateral right to change its end user terms of service are ubiquitous and appear in the online terms of many major social media sites and other websites, including Facebook, Twitter, Instagram and Google. Although amendments to terms of service quite often cause consumers to complain, litigation regarding such changes is relatively rare for now. I think it is safe to assume that this is an area heating up.
Case in point: in Discount Drug Mart, Inc. v. Devos, Ltd. d/b/a Guaranteed Returns, Discount Drug Mart, a distributor of pharmaceuticals, sued Guaranteed Returns, a company that processes pharmaceutical product returns, for Guaranteed Returns’ failure to remit credits due under a written distribution agreement between the parties. Guaranteed Returns pointed to the forum selection clause on its website, which it argued required the parties to bring suit in either Nassau or Suffolk County in the State of New York. This provision appeared in Guaranteed Returns’ online “standard terms and conditions,” which Guaranteed Returns claimed were incorporated into the parties’ written distribution agreement.
The court held otherwise, citing the Sixth Circuit case International Association of Machinists and Aerospace Workers v. ISP Chemicals, Inc. and stating that “incorporation by reference is proper where the underlying contract makes clear reference to a separate document, the identity of the separate document may be ascertained, and incorporation of the document will not result in surprise or hardship.” The court also pointed out that Guaranteed Returns’ purported right to change its standard terms and conditions unilaterally could result in Discount Drug Mart being subject to surprise or hardship. Further, the court noted that there was no evidence that the forum selection clause had been included in the standard terms and conditions at the time the distribution agreement was signed. Thus, the court concluded that the standard terms and conditions were not properly incorporated into the distribution agreement.
It is difficult to say what, if any, precedential force Discount Drug Mart will have. Putting aside the facts that the case was brought in the Northern District of Ohio and was ultimately dismissed on grounds unrelated to this holding, the underlying background of the case was nuanced. First, although the court stated in dicta that “one party to a contract may not modify an agreement without the assent of the other party,” a statement that could be interpreted to mean that unilateral amendment of contracts is never permitted, the holding itself was limited to situations in which terms and conditions are incorporated by reference. That said, even this limited holding may be relevant to many website operators in the social media world, as the larger social media sites often use a network of contracts that reference each other (for example, Facebook’s “Platform Policies” requires developers to agree to the company’s “Statement of Rights and Responsibilities,” which are “requirements for anybody who uses Facebook” and which can be unilaterally modified by Facebook).
Second, the Discount Drug Mart court did not elaborate on the “surprise or hardship” standard, so it is possible that unilateral changes to end user terms would be upheld if the website operator gave proper notice to its end users of such changes in order to avoid causing surprise or hardship. The leading social media platforms currently have different approaches to providing notice of changes to their online terms of use. For example, Facebook provides seven days’ notice (although “notice” here includes posting on Facebook’s site governance page); Twitter will notify users of changes to its terms of service via an “@Twitter” update or through email (but only for changes that Twitter deems to be material in its sole discretion); and Instagram notifies users of its changes to its terms of use by posting them on Instagram. A court could find that notification of changes using one or more of these methods is sufficient to avoid subjecting an end user to surprise or hardship.
Finally, the court seemed to give weight to the lack of any evidence that the forum selection clause was included in Guaranteed Returns’ standard terms and conditions at the time that the parties entered into the distribution agreement. Today, however, most Internet service providers include “last modified” dates in their terms of use. Recording version dates and keeping copies of older terms of use could help a website operator show that a particular provision existed in terms of use at the time that the parties entered into an agreement referencing such terms.
Discount Drug Mart does not necessarily provide any clear guidelines that online service providers must follow for their online terms to be valid and enforceable. Because the court based its holdings on specific factual circumstances and provided little insight into its reasoning, it is unclear at this point whether other courts will follow this opinion and impose limitations on companies’ rights to unilaterally change their online terms of service under different circumstances. However, given the legal precedent on the subject, it will likely behoove companies that incorporate their online terms into other documents to consider re-evaluating their amendment and notification practices to minimize any chance of subjecting end users to “surprise or hardship.”
Intellectual Property: new concerns about user created content.
The days of bring your own device (BYOD) are here and that adds a layer of consideration and complexity for privacy, security, intellectual property, and safety we must all now be examining. The big question is where do all of these technology translated messages and queries live once they have served their human users? Does this information expire immediately once the response has been given? Who owns this data created by the individual?
The third-party doctrine holds that the information that individuals disclose to businesses, credit card transactions, phone records, etc., doesn’t carry with it a “reasonable expectation of privacy” under the Fourth Amendment, as one has “assumed the risk” that this information might at some point be disclosed. Technological innovation has meant that this third-party doctrine has vastly expanded the government’s surveillance powers.
For example, when you buy a book, join a political e-mail list or read a website, a third-party record is created. Even the contents of your private messages or files stored in the “cloud” aren’t really yours, according to this doctrine. Federal law allows them to be obtained without a search warrant in many circumstances. Those old phone logs, meanwhile, have become far more revealing with the advent of cellular technology, which can track your geographical movements in increasingly precise detail.
The result is that a vast array of private information that would previously have required a physical search, and therefore a search warrant, to obtain is now available under a far lower standard. And much of that data concerns domains of speech and intimate association traditionally held to be protected by the First Amendment as well.
At least one prominent jurist, Justice Sonia Sotomayor, has suggested that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties,” an extremely encouraging development.
The clear and present message here is that while we jump right into BYOD and social media, if you are interested in protecting the privacy and intellectual property of both the Company and the individual, safeguards must be implemented, awareness education needs to be effective and we, as technologists and consumers alike must open our eyes.
Corporate Governance: creating and updating policies and procedures.
I embrace technology just as much if not more than most in part due to my vocation and avocational pursuits. The event horizon is in front of us and as individuals who use technology and as professionals who manage technology, you have the right and responsibility to understand the implications when opting to utilize these amazing applications.
It is a rare occasion within the workplace that our employees are not equipped with a full complement of communication tools like email, instant messenger clients, BYOD, browsers and other collaborative tools that connect them to the outside world. The simple question in my mind is “who decided that the employee masses needed or actual require these communication tools to complete their worker-bee missions?” Going to work should be for work and not unfettered access to all technology and the plethora of permutations we all enjoy off the clock.
I once mentioned during an executive security briefing that “I could not fix stupid but I could prevent it.” While that statement may be harsh, the sentiment is simple; humans are easily tricked into interacting with malicious technology. The challenge is to eliminate as much risk as we can without damaging legitimate business essentials. Part of the new-world-order business risk assessment should include whether or not my employee actually needs collaborative tools to communicate with the outside world. Inevitably some human will drop the ball no matter how much training we provide or how many technical controls we implement.
Traditionally, we are installing really expensive security countermeasures that keep the company secure most of the time but not all of the time. Remember, there is no such thing as absolute security! We logically eliminate the cost of technology, human resources and breaches when we take away the vectors that our employees do not require to legitimately get the job done. We secure that breach vector completely by eliminating it.
Returning to my earlier statement that I could not fix stupid but I could prevent it; instead we should say “Intellectuals solve problems, geniuses prevent them.” Albert Einstein said it more eloquently than I did.
I’ve been part of the debate with other executives particularly ones from Human Resources who are faced with the challenge of recruiting talent. Talent that may be in short supply and talent that may not be locally grown are significant obstacles for a company to overcome. To make the company’s opportunity more attractive the obvious attractors such as salary, bonus, relocation assistance and other perks are measured out in closely calculated amounts. The growing trend is to add other corporate benefits such as unfettered access to social media, BYOD, teleworking, and extremely relaxed attire.
Once you make the business decision to establish what employees can and cannot do while representing the company during their working hours, codifying these decisions into concise policies and procedural documents is the next and best step along the way of instituting a correctly implemented information technology and security program. Governance is the first foundational tenant of The Security Trifecta.
Without order, we have disorder
How do we begin implementing order from the technological chaos many of our corporate infrastructures are made of? Through Governance activities which is the written word, the law, or policies and procedures!
Information technology and security policies hold a special place within the enterprise. Just like our technological implementations have risen to importance supporting the majority of our business processes today, the obvious need for standards, policies, and controls has become obvious. With the explosion of a plethora of technological permutations touching every aspect of our life and business activities driving this change, so too must the bedrock of our governance activities remain agile as well. Without order, we have disorder. Rules must be established so boundaries remain defined. The rules of the road were established to keep us safe so that we arrive alive. Other facets of our lives have rules in force that help increase efficiency, decrease risk potentials, increase accountability and protect the innocent. The logical conclusion from a technological standpoint is that governance activities are vital to our success.
The single biggest problem facing corporate information security can be directly traced back to the lack of well-defined corporate information technology and security policies. Again, referring back to the United States Secret Service breach report, 96% of all breaches could have been prevented through the proper application of simple or intermediate level security controls.
This is in part what I wrote about in one of my books, Governance Documentation and IT Security Policies Demystified. It establishes the baseline for everything we are trying to do.
Code School: secure coding and minimizing risks.
We translate our business objectives, our social media experiences, and touch nearly every facet of our lives today with technology. This trend is nothing new and its trajectory is only accelerating. The one facet of a software development life cycle or a product development life cycle that is often overlooked is security. While the SDLC process is mature, including security is not. Again, like most technological advancements, we drive ahead generally not considering too many consequences or possibilities for the occasional crash.
For example, do you realize that it’s been only about 50 years since the government required car manufacturers to include seat belts in cars? I’ve asked myself the question “When they created a car for sale did they consider what would happen if the driver were in a crash?” Did they have any ideas about how they might prevent occupants from becoming projectiles?
While this seems so obvious to us today, it’s essentially the same faulty logic we use with all technological advances including the software we depend on. Does anyone really consider the potential risks to the consumers and the company alike prior to laying down the first layer of code? We are getting better and I can cite the glaring differences between two popular operating systems; Windows and Android or iOS for you Apple fans. We have come to accept “patch Tuesday” from Microsoft because Windows was built without seatbelts. Android and iOS are just the opposite.
When you develop your new business systems, social media platforms or some application to propel business forward, please ensure that secure coding and application security testing is an integral part of your software development life cycle before you turn your consumers and company into projectiles because you didn’t think about those seatbelts.
Legal Landscape: the evolution of global laws and regulations.
In the United States there is a legal principle known as the “The Voluntariness Test” which in terms of its underlying values, was introduced to evaluate and potentially bar the admission of a confession with doubtful reliability due to the practices used to obtain a confession. Even when reliability is not in question, the question is raised if offensive police practices are used to obtain a confession: or obtained under circumstances in which the defendant’s free choice was significantly impaired, even if the police did not resort to offensive practices.
In addition, if adequate Miranda (Recall the “anything you say, can, and will be used against you in a court of law”?) warnings are not given prior to a custodial interrogation; incriminating statements made by the accused are ordinarily inadmissible in the prosecution’s case in chief. A voluntary confession obtained in violation of an accused rights to adequate Miranda warnings made, however, may be used to impeach him should he testify at trial. In my experience, it is evident that the Miranda Court emphasized that there is no requirement that police stopped a person who enters a police station and states that he wishes to confess to a crime, or a person who calls the police to offer a confession or any other statement he desires to make.
Volunteered statements of any kind are not barred by the United States Constitution’s Fifth Amendment and admissibility is not affected still today. It is very clear that statement not perceived by the Miranda warnings will be admissible when, for example, the defendant walks into a Police Station confesses or blurts out an admission when approached by an officer near a crime scene.
When I investigate computer crimes or identity theft or electronic credit card fraud, I don’t limit my hunting and gathering to just the system effected, but I troll the social networks and my business networks looking for associated clues to the perpetrators identity. Honestly, it is a rare occasion that someone is able to elude being identified and prosecuted. There are so many points of record along the electronic super-highway that dusting all of your tracks is nearly impossible. Your best bet is to get lost in the electronic crowd obscured by the other noise. The “good guys” and “bad guys” use the same tools and tactics. You better believe that I can answer many of those “secret” security questions such as “your mother’s maiden name” because she is one of your Facebook friends and she told me herself, or what high school you graduated from, or that birth date, or even that adorable pet’s name. It’s all there for harvest time.
Case in point: This past year we have been hearing about a criminal assault called “The Knockout Game” by perpetrators which is the violent practice in which young people try to randomly knock out strangers with one punch. Some of the assaults are recorded and posted on social media by the attackers. A problem with posting these attacks on social media as experience shows is that other kids will see this is an easy thing to do and then it becomes groupthink or mob mentality. The upside to perpetrators posting these crimes on social media is that it becomes a voluntary confession.
Another case in point: A recent news headline described a case where the former head of a private preparatory school in Miami, Florida is out an $80,000 discrimination settlement after his daughter boasted about it on Facebook breaking the confidentiality contract of the settlement.
Again, we have an example where social media is used to share illegal or other objectionable information. The interesting phenomenon is again the human desire to disclose information or to behave in ways that in physical settings would probably not transpire so easily as they do in social media conduits.
The Security Trifecta™: sage advice in the real-world.
Let’s explore The Security Trifecta.
There is a way forward to a successful cyber defense. At a high level, it is crucial we apply a three phased approach through governance, technological enforcement, and vigilance to security. I’ve referred to this approach as The Security Trifecta™ in my books and publications to raise awareness on a sustainable and fundamental process to reduce cyber threats to your organizations. It is vital to everyone here to collaborate with our information security comrades. I am one of your resources. Anyone is welcome to share ideas and questions with me and you bet I will do the same.
Top Down Governance
At the very top of the governance structure you must set the pace for everything else that follows. With the Internet, we are all members of international organizations. Think like an international organization and begin with an international standard such as the ISO 27001 and 27002 information security standards.
We all know by now that our security efforts will generally fail without the support of senior management. The same top down principle applies to our governance documentation and program. At the very top level, we need to set the tone for everything that follows. A corporate IT security charter and IT security policy accomplishes this need. From there we make the decision to model our standards after a particular security framework or standard.
What I’m going to share with you right now is a deeper dive into the distinct facets of a holistically applied governance program. I go into great detail about this in one of my book.
The Asset Identification & Classification category that defines company objectives for establishing specific standards on the identification, classification, and labeling of company information assets.
You must know where you are going in order to get there efficiently. You need to discover what your critical assets are, what their value is, and how to rank their priority for protection before you do anything else. For example, confidentiality classifications are important so that information is not improperly handled. You may have company information and intellectual property that would be restricted access, or confidential access, or internal use only, and even publicly available information classifications. By determining up front what your information classifications are, you will get a better idea on what protective measures are required. We all like names don’t we? Once you have decided how to classify something, make sure a label of some form is attached to it. This might be a physical tag or it might be an electronic tag. In either situation, it provides a mechanism to manage your business assets through the use of technology or process.
Consider date integrity for a moment. When sharing information or transmitting information which could be in the form of a business transaction or simple file transfer to another person. How do you ensure that your data is not corrupted or tampered with by another person? There are encryption and other data tampering protective technologies available today to help with integrity.
Let’s consider data availability. Information is useless if it is not accessible to the people it is intended for. When you ranked the importance of your information assets, you decided how critical it is to make it available. Maybe something is so valuable that you cannot afford to have it offline for an extended period of time. These factors will go into your decisions.
The Asset Protection category defines the company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of company information assets.
The Asset Management category defines company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit company information assets.
We are now looking at a whole batch of activities revolving around controlling configurations of the technology controls you have implemented already. The enemy to operational stability and information security is effectively change. Not that change is a bad thing, quite the contrary, but we must be aware of the challenges it brings so that change is managed effectively. Change will most often be associated with software or system development life cycles. Consider the implications for a moment. If you develop software or deploy new technology, it all introduces new benefits and new challenges.
These have so far all been enterprise level standards that you control.
The Acceptable Use category defines company objectives for establishing specific standards on appropriate business use of the company information and telecommunications systems and equipment. The acceptable use category is all about what our end users have control over. Certain usage activities such as Internet traffic, email usage, telecommunications, social computing, and software usage all play a part in The Security Trifecta.
A user has the choice to behave inappropriately while using the company’s technology assets. An employee does not have a choice in how complex their password is because you have established an unbending standard defined in your asset management activities. When misconduct occurs, you need employees to know how to report it and to do so without being concerned about management reprisal.
The Vulnerability Assessment and Management category defines the company objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities. When I refer to vulnerability assessment and management, I am talking about the actual task of assessing security risks and the actual management of those risks. Security vulnerabilities continue to emerge on a regular basis and if we are not vigilant in the identification, remediation, and even compensation of those risks, we increase the risk to our enterprise not to mention the people who depend on our work whether they realize it or not.
The Threat Assessment and Monitoring category defines company objectives for establishing vigilant standards for the assessment and ongoing monitoring of threats to company information assets. The latest buzzword in the business is threat modeling which is really just a fancy term for placing a value on our business assets and making determinations about potential threats to that intellectual property or business asset.
The Security Awareness category defines Company objectives for establishing a formal Security Awareness Program, and specific standards for the education and communication of the Information Security Program Charter and associated policies, standards, guidelines, and procedures.
The final task you have in the governance domain of The Security Trifecta is security awareness. When I talk about awareness, the essence is really about educating your users of the business technology and resources on the rules you have implemented. Make sure that your awareness campaigns include new hires, ongoing employee, and third party users.
Now that we have the foundation of our information security program built upon the written word, what next? How do we enforce these rules effectively? With technology and technological controls that enforce our policies of course!
Within the technological environments of any organization, some facets of technology are hardcoded and enforcement of those business rules is unbending. In other instances, employees or other individuals using those systems have a degree of latitude to make decisions on the usage of that particular technological permutation. Some technology implementations allow for the end user to exercise greater choice and control, whereas others strictly enforce our standards eliminating human error element out of the mixture.
If you think that absolute security exists you would be absolutely incorrect. Speaking as a security practitioner who has been in the business for as long as there has been a security business, I’ll tell you with a straight face that no technology system exists that is completely secure or one hundred percent impenetrable. The reality is that security is a process of risk identification, mitigation and vigilance. It is incumbent upon both the security professional and the supporting leadership to first identify what must be protected in order of priority. The second phase is to mitigate or otherwise offset the risks by using technological tools and procedural changes that are institutionalized. Finally, there is vigilance to keep ahead of the threats that exist. This involves personal education in any form be it formal or self-guided and the discipline to carry through the charter we pledge to adhere to as security professionals.
It has become common place for security vendors and security professionals alike to claim absolute security. The snake oil sellers will tell you they can keep you safe. However, logic dictates that no solution is perfect or lasts forever. Everything made is fallible. Security is a process; it is an integral part of our business. Just like any business process, security must be updated, tweaked and tuned. The consequences of not adhering to this philosophy are potentially catastrophic. Many organizations and security professionals are running on borrowed time. I’m not prophesying that there is no hope for security. Quite the contrary! What I am suggesting is that a healthy dose of reality be introduced into the mixture. Collectively, we must understand that mitigating risks are more important than mitigating fear with a false sense of security.
Security threats will never go away and the challenge bubble will only get bigger until we either proactively or reactively adapt to it. Our world is globally connected and increasingly interactive through technology. I challenge security and business leadership alike to join together at the same table and leverage each other’s strengths for the collective good. No more myth propagation, no more corner cutting for the sake of expediency or marginal gain, no more discounting the importance of security to business and individuals alike. The key is to implement standards that are holistic enough to establish the organizations command-and-control while remaining agile enough to adapt to the natural progression of technological permutations. You will want to avoid being too restrictive and too specific because this will introduce unnecessary loopholes which will be taken advantage of by employees and third party’s alike. You must find the point of technological equilibrium that balances the maximum level of information security without negatively impacting the core business processes that you are protecting. Security should not be a barrier to business, but an enabler to business.
Now that we have the governance structure instituted and the technological controls implemented to maintain our corporate utopia, what is next? Are we at the place where we get to congratulate ourselves and take a long vacation? Sorry, as security leaders, I don’t foresee a long vacation in your horizon which brings me to the Vigilance part of The Security Trifecta.
The reality is that nothing works very well without teamwork. Controls and standards break down without careful tending just like weeds take over our gardens without vigilance. We must regularly review our security standards validating their relevancy and we will remain agile to adapt to the changing business landscape putting into practice carefully considered revisions to our ongoing security program.
We must always strive to be proactive, not reactive in our pursuit of information security excellence. What are the activities that comprise the vigilance part of The Security Trifecta you may ask? Let’s examine the vigilance life cycle.
There is nothing perfect in this world that people have made or accomplished. That being said, it is incumbent upon us to monitor our creations. Information is your friend and the more information you collect, the better understanding you will have of what you are protecting. You need to test your own systems so that you discover problems before the criminals do. Next we investigate any problems we discover through our monitoring and testing activities. This is a vital part of verifying our controls work properly and it is a vital part of your ongoing education about what you are protecting. Oh, yea, it is time to test our controls again. Now that we know more about our systems, we can test them more effectively. There will always be improvements or areas that need to be repaired from time to time so now it’s time for remediation. The knowledge you have gained so far about your systems will help you improve them. I bet you cannot guess what comes next in our vigilant life cycle? That’s right, testing. We need to test our fixes and improvements right? Now that we know a lot about out systems, it is a good time to help others understand how they affect them through awareness education activities. When we help others understand why we do the things we do and they see the relationship to how they do their work, most of them will begin to increase their support for you and your mission. Information security knowledge should not be suppressed, but shared. So how do we know if the people and companies we are protecting really understand what needs to be done? Take a guess,,,, here it comes,,,, you guessed it,,,, by testing them!
Without order, we have disorder
All of these facets are completely within our power to implement. For example, start by conducting an IT security risk assessment of your organization. If it is a governance document or policy we need, implement it and make everyone in the company aware that it exists through awareness campaigns and employee or third party signature acknowledgements. If it’s technological control that we need, use your IT risk assessment data to calculate the ALE before you seek approval from the CFO for your project. You will need to speak the business language in order to increase your success rate when promoting security technology. If it’s vigilance we need, make schedules that you and your team are measured on. Automate what you can and develop manual processes that are sustainable for the rest. Test your controls before some hacker or rogue employee does. Putting in a plan is your key to success.
In closing
We push forward and security, privacy and risk are still predominantly the afterthought. While this is improving, so much responsibility on the end-users and the implementers still exists. I’ll leave you with some simple suggestions to navigate the new social security landscape. These suggestions are in no way a comprehensive set of recommendations.
For Businesses
Implement appropriate governance: leverage resources from legal departments, IT security departments, Human Resource departments, and Social Media and Marketing departments to create a highly inclusive policy for employees and consumers that will address all concerns and regulatory demands.
Information security executive leadership: it’s vital for the corporation’s success to hold security and privacy as important as any other facet of IT, risk management, compliance, etc. The appropriate reporting structure for a CISO is as a peer to the traditional CIO. Security must be objective and independent to be effective. Your security executive must have the authority to prosecute their responsibilities.
Implement awareness training: all employees and business partners alike must receive training on the proper and secure method of utilizing the corporation’s technology resources.
Conduct IT risk assessments: more than 60% of all companies do not do this and a heavy percentage of those who claim they do are not doing it correctly. Engage a reputable provider for objective risk assessments. Most threats to your business will be eliminated by doing this regularly.
For Consumers
Facebook, Twitter, Google+, YouTube, Pinterest, LinkedIn and other social networks have become an integral part of online lives. Social networks are a great way to stay connected with others, but you should be wary about how much personal information you post.
Privacy and security settings exist for a reason: Learn about and use the privacy and security settings on social networks. They are there to help you control who sees what you post and manage your online experience in a positive way.
Once posted, always posted: Protect your reputation on social networks. What you post online stays online. Think twice before posting pictures you wouldn’t want your parents or future employers to see. Recent research found that 70% of job recruiters rejected candidates based on information they found online.
Your online reputation can be a good thing: Recent research also found that recruiters respond to a strong, positive personal brand online. So show your smarts, thoughtfulness, and mastery of the environment.
Keep personal info personal: Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data, or commit other crimes such as stalking.
Know and manage your friends: Social networks can be used for a variety of purposes. Some of the fun is creating a large pool of friends from many aspects of your life. That doesn’t mean all friends are created equal. Use tools to manage the information you share with friends in different groups or even have multiple online pages. If you’re trying to create a public persona as a blogger or expert, create an open profile or a “fan” page that encourages broad participation and limits personal information. Use your personal profile to keep your real friends (the ones you know trust) more synched up with your daily life.
Know what action to take: If someone is harassing or threatening you, remove them from your friends list, block them, and report them to the site administrator or even law enforcement.
As you might imagine, what I have covered is just the tip of the proverbial iceberg! I’m always happy to continue the conversation so feel free to reach out to me.