“Mom always said, don’t play ball in the house.” Do you remember that episode of the Brady Brunch? It’s the one where Peter is playing ball in the house, and the basketball comes bouncing down the stairs and hits the vase in the family room. They replayed and replayed the scene and then in slow motion. I keep seeing this scene in my head every time I hear another story on IT security professionals warning companies and users to be vigilant when it comes to securing systems and computing smartly. It’s like a broken record, but somehow with the next new “thing” we tend to forget all that we learned the first time around. Remember the 90’s when no one was really thinking about security? There was Windows 98 and later WindowsXP with all its Service Packs. Then Microsoft came up with the initiative Trustworthy Computing in 2002 to realign their mission around protecting users’ data. And then there was Vista in 2006 with “enhanced security” features. As users, we’ve learned not to click on attachments from people we don’t know in email. We’ve learned that the uncle in Nigeria that needs our money isn’t really our uncle. As time has gone by we were starting to be trained on security principles and practices, but seem to have slipped. What makes us so trusting of all the new tools? I wonder every time I post something on Twitter whether it’s safe. I think about what I post, not only about where the data is being stored, but who is on the other end of the cloud lurking? What about the people that post that they’re traveling or on vacation? This isn’t safe, a savvy burglar could be reading your tweets and you’re just inviting them in. Remember when “they” used to tell us not to leave a message on our voicemails saying “Hi you’ve reached Leigh Anne and we’re not home right now, so leave us a message.” People stopped doing this because it was an invitation to rob their house. It’s the same principle, just a new tool. Why is it that we forget?
For companies, it means more money and time. For users, it’s not “fun,” it’s someone else’s worry. As a former IT security consultant, wearing the security hat is just as bad as wearing the auditor hat, no one likes to see you coming. In regards to companies, upper management doesn’t want to listen because what the security professionals recommend would only cost more money and time. What’s funny is it always costs much more money and time on the other end if you get hacked or IP is leaked. In speaking to users, people don’t want to hear about the potential bad things, they only want to hear about what new and shiny functionality the gadget is going to do. (Bringing up security issues in my marketing/communications course makes me feel like an old fuddy-duddy.) But all the fun will be gone if we don’t consider the ramifications of not securing our data. It only takes one time, and all of a sudden, companies are scrambling to institute security policies and measures and users are demanding it. And the security guys are sitting there thinking why don’t we ever do this proactively?
Well, I’m seeing this security lifecycle happen all over again, kinda like Peter’s ball falling down on the vase. We have a new “thing” we’re all enamored with and security and all that we’ve learned has gone out the window. That “thing” is social networking. We have so many tools right now that we are signing up for and sharing this tidbit about ourselves and that tidbit. Do you know anything about the companies behind those tools and what their security practices are? Believe me, I’m right there with you. I’m a student of social media so I continue to use and get excited about the newest cloud gadget, but in the back of my head I’m thinking “another password, another possible security breech, who’s on the other end of the cloud, how secure is the server that my data is going to sit on?” I don’t think the typical user thinks like this, but I’ve had my whole professional career working in security and seeing the bad things that can happen if these questions aren’t answered so it’s ingrained in me that I’ve become paranoid. Obviously, I force out the voices in my head or I wouldn’t be on all the tools I’m on, much less the internet J . But can I really trust the companies running these sites with my data?
I had a conversation with an individual from a company that runs one of these “new tools” regarding a potential job opportunity. I was explaining my security background and that I thought I could be an asset in helping with securing their infrastructure. He told me that management wasn’t really interested in security at this point, it was all about getting more users! Well then what happens when the inevitable occurs, you’re hacked and you lose the trust of all those users? Hmm, thinking ahead might be something to consider. Take for instance what happened over the last few weeks at Twitter. Wow, hello there, do you think they are now reconsidering a little security policy? Probably so.
Let’s take this to another level. We’ve discussed security on individual social media tools, but what about cloud computing? Amazon and Microsoft are starting to offer companies services to host their data and infrastructure in the cloud. Is that data safe? Who’s responsible for that data? Microsoft and Amazon? The company that “hired” Amazon and Microsoft to host the data? Are they thinking about this or just worried about getting more users on it, putting the security questions off to deal with when something actually happens? Who is securing the cloud?
Just like with companies, I think it’s going to take a breech in security that affects the actual user before people start to realize how important security is to the way we are doing business, communicating and living our lives these days. What I mean is a breech in security that affects a multi-million dollar company in the news doesn’t really hit home with people. It’s not tangible because it doesn’t affect them. It’s like when something horrible happens half way across the world, most people can’t relate. They don’t internalize it until it happens close to home. This is the same thing. Until a security breech happens and your family photos, your witty statuses, your snarky comments are stolen and posted all over the internet you don’t care. But when that one time occurs, I bet your eyes will be wide open to security. Now more than ever we need to be aware of security practices, in our personal lives and our business lives. (Which are merging, but that’s a whole other post)
As I study marketing/communications, web analytics, and social media, I see more and more people and businesses throwing caution to the wind and not even considering the security aspects of this new way of communicating. Those relationships and that community your PR team built, that branding your marketing group created, your company’s reputation, those campaign metrics aren’t going to mean anything if you don’t have the trust of your users.
Once again, as most of my posts discuss, it comes down to trust. (Wow, I think I may have trust issues!) Do you trust the companies behind the tools you’re using with your data? We’re not talking about the data of some big company off in some city that we read about in the Wall Street Journal, we’re talking about YOUR data.
So what are your thoughts, do you consider where your data is being stored and who sees your data?
You're right. It's all fun and games until your personal data is affected. Whether it's in "the cloud" or an "on premise" computer system security breaches are big business --- for both the white hats and the black hats.
ReplyDeleteFrom what I have seen the legal agreements users and corporations agree to for cloud based services put most, if not all, of the responsibility for security on the user. The company providing the services are off the hook. There is a lot of logic in this --- primarily because the same issues that affect on-premise systems also affect cloud based services. I've seen a few reports indicating that the number one issue leading to security breaches are weak passwords. If people leave the doors unlocked in the physical sense or electronic sense they should expect that someone with a little persistence will find a way to their door.
With that said --- I still expect firms providing cloud services will provide a solid base level of functionality for performance, data management and yes --- data integrity.
Also, I liked the reference to The Brady Bunch. The episode you mentioned and so many others defined so many of our perceptions in the 70's. Fortunately we've grown past many of them - not the least of which is Johny Bravo.
Hi Leigh Anne, the Twitter hack gave me some major pause too. I have some things stored in the cloud, supposedly behind closed doors, but this does become more and more of a concern.
ReplyDeleteA couple thoughts - first, I think social sites and SaaS sites have very different security issues. When I approach most social sites I do so by only revealing things I wouldn't mind that the whole world know. Twitter is that way for sure, and even my more private activity on Facebook still wouldn't do me much damage if it leaked out. I think anyone who is putting any sensitive material on social networks is asking for trouble. Added opportunities to shoot yourself in the foot are provided by technologies like Facebook Connect, where you can give a startling amount of access to a virtually unknown site with one click. This is compounded by the ownership issue, which is cloudy at best. Social network TOS's make re-use of content in their clouds a real possibility (see the recent Facebook flack over TOS).
In terms of more legitimate cloud hosts, who are providing SaaS - like 37signals, Google, etc. - I think they are better about security but concerns still remain - obviously Google Docs was hacked in the Twitter case. But the hack was like most hacks, it happened because someone at an incredibly high-profile company was using a weak password. Not Google's fault, just poor security practices that could get you into trouble whether you're in the cloud or not.
Thanks for keeping our eye on this ball, or the basketball in this case. :)
@jeff and @doug Thank you both for your perspectives. It has allowed me to get more clarity on the issues and has reinforced the idea that there are at least 2 levels in which we need to approach the security problem, 1) social sites 2) SaaS sites. I agree that in regards to social sites it comes down to the user and their "security" practices such as using strong passwords and being discretionary on what they post. I do think the corporations running these sites still need to have a minimum security framework for their infrastructure as well. SaaS sites though are a different matter, and I think if enterprises are going to trust the SaaS providers with their data, security is going to need to be a major consideration. For both cases, as with all security, the system is only as strong as the weakest link, which normally comes down to the human behind the keyboard.
ReplyDeleteRegarding the Twitter "hack" it was more to do with hotmail recycling old email accounts and the info the hacker found out on the internet than breaking a password. So, one can be a "savvy" social network user and not post information that is sensitive in nature, but if someone really wants to use your data for illegitimate reasons how do you know they can't use your non-sensitive data against you.
This is what happened in the case of the Twitter "hack." The guy went around and looked for info that was in the public about the Twitter employees. He went to Gmail and used a Twitter employee's email as the username and then clicked on the "Forgot Password" link. He then gets a window that says the password has been sent to your secondary account. To help the user remember what account that might be Gmail offers a hint as to which account it went to ******@h******.com By an educated guess, the hacker assumes hotmail. Now the hacker goes to hotmail, guesses what the hotmail address (username)is (based on info he found in public) and does the password recovery link there as well. Hotmail informs him that this account is no longer active, so the hacker goes and registers the hotmail account. Then he goes back to Gmail does the password recovery again, this time since the hotmail account is accessible by the hacker because he's just registered it and put his own password on it the Gmail password is sent to him. BINGO he's in, now he starts his voyage.
All that to say this happened because of an innocent user posting non-sensitive info out on the internet and a corporation having a bad security policy in which old accounts can be recycled. This wasn't a weak password situation. This was a comedy of "errors" on the user and corporations’ part.
So with the growing number of social sites, the linkage of them, and the amount of data we are posting it's going to take a combination of heightened user awareness and an increase in corporate security practice implementations in this new world.