A pipe in my kitchen broke this week, water leaked everywhere, seeping into everything, through the smallest gap. This got me thinking about other types of leaks. I think there’s a reason we talk about information and security leaks; you can do everything you want to contain information but it will pass through the smallest gap.
The reason is that there is a natural tension between the measures needed to make a company secure, and the activities people have to perform in the line of their work. Every attempt to lock down security across an organisation pushes employees to find alternative routes to perform their work.
Ars Technica reported earlier this year that when Hillary Clinton, as Secretary of State, had requested a secure Blackberry she had been refused. Blackberry is Clinton’s preferred tool for answering emails, and a secure Blackberry had already been provided to Obama (and to Condoleeza Rice, Clinton’s predecessor). Now this seems a very odd decision to me, Secretary of State is the third highest office in the US, and a role that would obviously involve a lot of email correspondence with the president, presumably of a similar “top secret” nature.
I’ve heard of the same thing playing out in different ways in companies.
- Generic USB sticks were banned, the company provided USB sticks that had a nasty habit of corrupting movie files, and it was already impossible to email large files. So employees doing presentations outside the company would use a hotmail account to email the video to themselves so that they could play it at a conference or meeting outside the company.
- When new board members wanted meeting notes electronically. The security advice was to give them company laptops. But these were people who travelled extensively and sat on the boards of several companies. Password protected pdfs were used as an interim measure, but longer term measures involved a secure site.
- When security teams became aware of the possibility that social engineering techniques were being used on LinkedIn and specifically targetting company employees they blocked LinkedIn from the company network. Ignoring the fact that this just moved the risk to outside work hours, or via personal mobile phones.
In all these cases employees quickly found a work-around. In some cases the risk was reduced in this process, in others not.
As Tom Seo wrote in a recent Tech Crunch article “security is defined as a largely operational function, which in turn leads to reactive, incohesive decision-making”, and I think that security has been seen as an operational function for a long time with a defensive or reactive mentality.
To keep something perfectly secure we lock it away, put it in a safe, behind a wall, or in a fortress. But for companies there is no way to build an effective wall around a company’s digital information, since using that information is an operational necessity. Sure, we use the term “firewall” for a sort of digital approximation of a wall, but we still send information across a firewall, and use technology outside a firewall.
Years ago a security colleague said to me “we can no longer build a completely secure system; we have to choose which risks to remove and which to manage”. It’s a good start, but I look forward to the day when security teams think in terms of solutions rather than rules.