In my industry talks on Social Media, I mention the challenges presented to organisations by consumer technologies, so-called “shadow IT”, social media and mobile technologies. A new generation of technology users are used to having leading edge, powerful technologies and are not satisfied with the constraints placed by their employers on their technology use, productivity and flexibility. Therefore, many employees (and particularly younger employees) are getting around corporate controls by using personal email accounts, personal hosting services, online storage, Facebook, blogs, etc. The availability of new, powerful consumer technologies and services is putting increasing pressure on corporate IT departments to keep up.

Recent research commissioned by Mimecast, a UK-based email management company, highlights the risks that organisations face from their employees using non-corporate IT to circumvent controls. Carried out by Loudhouse Research, based in London, England, the research found that knowledgeable employees, familiar with social media and frustrated with corporate controls, are compromising corporate data and intellectual property.

Employees have become dissatisfied with the constraints of corporate email rules and mailbox size limitations. To get around these problems, more and more employees are adopting “a slapdash attitude to company intellectual property (IP)” and use personal email accounts to store corporate information on public servers, outside the control of the organisation. The research found that 85% of under 25s admitted that they send work-related emails or documents to or from personal email accounts.

The “Generation Gmail” research also found that:

• 36% of incoming email to work inboxes is not work related;
• Over 300 work-related emails are sent per person via personal accounts each year;
• Typically around half of these emails contain attachments, meaning that the average employee under 25 will send approximately three emails a week containing corporate IP and potentially sensitive information outside of their corporate environment, and
• Generation Gmail is particularly predisposed to personal email; 52 per cent rated it as better than work email in terms of mailbox size, compared to just 29 per cent of over 55s.

Working in an academic environment, I am very familiar with these challenges and with many more as well. Younger and well-educated people have come to expect that corporate IT services should be as good as what they can get for free on the Internet and they are impatient when this is not the case. However, it is difficult for organisations to respond either quickly enough or with a similar range of technologies to satisfy the expectations of employees and – in academia – students, researchers and academics.

How can corporate IT respond to these challenges? Are policies and procedures enough? What controls should or can be put in place to ensure that corporate information and IP are safeguarded? Is this even possible in the age of the iPhone, 3G, netbooks, tablets, high-capacity storage and other wireless devices?

It seems to me that the response to these challenges must be  try to give users what they expect, no matter how difficult this might seem. Perhaps corporate IT can never be as fast as the giants of the Internet like Facebook, Microsoft and Google but it should look for ways, nevertheless, to provide what it can. This could mean developing a Social Media strategy that identifies how you will provide the communications, collaboration and information sharing technologies that people now expect. Where can you use third parties to deliver services? What partners might you work with? Can you use Facebook or Yammer to enable sharing and collaboration? What about Blogger, Tumblr, Posterous, WordPress or Typepad for blogging? Are your policies, procedures, controls and security constraints still appropriate for the current environment and expectations of users?

We grapple with these issues every day in Trinity College and, to be truthful, we are probably always going to lag behind our users, because that is the nature of the organisation and it reflects the modern experience of technology innovation. Nevertheless, we have tried to meet expectations where we can. We have adopted Google Mail and Google Docs for our students; we are trialling Yammer as a collaboration platform for the college; we recently completed the rollout of internally-hosted Microsoft Exchange for staff; we are implementing SharePoint 2010 as an enterprise collaboration platform; we offer podcasting services and publish material with iTunes and iTunesU; we are about to release WordPress as a blogging platform for all users; and we use Microsoft Enterprise Project Management for project collaboration. We are also working on defining our needs for XaaS and Cloud Computing.

It is a start, and we know we have a long way to go. But if we can meet the expectations of our users, perhaps we can discourage them from using other technologies that might put the enterprise at risk.

What do you think? Are you dealing with these problems as well? Are you giving your users the technologies they want? What solutions have you found and how have you implemented them? This is a challenge that no organisation can avoid, so how are you approaching it? Please leave a comment and let me know your views.

Finally, Mimecast’s Chief Scientist, Nathaniel Borenstein and Cloud Strategist, Justin Pirie; and CEO of First Base Technologies ISACA, Peter Wood will host a webinar at 10 a.m. GMT on 8 March 2011 with the title ‘Generation Gmail: Is business email at risk?’. You can take part in the seminar at http://mediazone.brighttalk.com/event/infosecurity/79cc30c735-4820-intro?TID=MC.

And very lastly, if you would like to talk to me about the use of Social Media in your organisation, please feel free to contact me.

If you liked this post, you might also like:

Would You Like to Get to Inbox Zero?

Social Media Revolution? What’s Your View?

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

I am preparing a talk for CIOs on the topic of ‘Social Media – Creating Collaborative Conversations’. I’d like to hear from people who have made the corporate leap into social media in their organisations or who have views or expertise to share on the subject. Questions you might consider include:

• What advice would you give to CIOs and their organisations in adopting social media?
• Can you point out good and bad examples of the use of social media?
• What, in your experience, has worked well and worked badly in the adoption by organisations of social media?
• What is the future for social media in the enterprise and what are the implications for CIOs and their organisations?
• What lessons have you learned from using social media in your organisation?
• What are the risks for organisations in adopting social media and making them available to employees?
• What are the specific challenges for business as workers engage in new conversational behaviours and have the ability to spread knowledge inside and outside the corporate firewall?
• How can CIOs work with other executives to ensure that the use of social media is well-managed?
• How can organisations create collaborative conversations that benefit the business?

If you have any views on these questions, or have additional information to add, I’d like to hear from you. Please leave a comment to share your experience.

If you liked this post, you might also like:

Gary Hamel’s Interesting Take on Social Media in Organisations

Social Media Revolution? What’s Your View?

Social Media: Creating Collaborative Conversations

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

I had not intended this blog to become a security-related publication, or one dealing exclusively with theft of laptops and storage media. But there is certainly a trend developing; let’s hope it does not last.

Following on from yesterday’s post, and from my post of 24 August 2008, we learn today from a report on RTE, Ireland’s national broadcaster, that a laptop computer containing  the records of some 75,000 customers of Bord Gais Eireann (BGE – the Irish Gas Board) was was one of four stolen on 5 June 2009, although news of the theft was only released today, 17 June 2009. The records relate to customers who signed up for the BGE “Big Switch” campaign, which encouraged them to move their account for electricity supply from the Electricity Supply Board (ESB) to BGE. Like previous incidents, data on this laptop was reported not to have been encrypted.

This time it’s personal, as I have been potentially affected by this latest security failing.

It appears to me that many (I suspect a very, very large number) organisations that process personal information simply do not take the issue of electronic data security and data privacy seriously enough. Throughout the world, we learn regularly of significant breaches of customer confidentiality. As  I wrote in my August 2008 post, many of these incidents occur through the failure to manage portable devices and removable media effectively. But there is also a lack of appropriate polices, procedures, practices, guidelines and controls. Indeed, in many organisations, there appears to be little or no attention paid to security at all, except for template procedures and documents.

The 2008 Annual Report of the Irish Data Protection Commissioner provides information on the top ten threats to individual privacy as identified by his staff. The unscientific list represents perceptions of Commission staff of the major threats to privacy at the close of the year 2008, based on the queries and issues they deal with on a day to day basis. The top ten threats are identified as follows:

1. Failure of organisations to have even the most basic protocols in place to minimise the loss of customer and employee data.
2. Continued lack of proper procedures in public and private sector bodies to limit access by their employees to personal data on a ‘need to know’ basis.
3. Failure to take due account of the legitimate privacy expectations of members of the public when moving towards greater efficiency of public services.
4. The tendency of new legislation to seek ever more personal data from the public and the sharing of that data between organisations without (in many cases) any real business case to justify such sharing.
5. Criminals using increasingly sophisticated methods to part individuals from their personal data for criminal and fraudulent use.
6. The extended use of the Personal Public Service Number (PPSN). This is the number given to each citizen by the Government to identify them when they interact with public bodies. More and more services seek to use this identifying number, often without any credible justification.
7. Publication and availability of excessive personal data on the internet (sometimes placed there by the individuals themselves on social networking sites etc).
8. Continued lack of awareness among data controllers of their data protection obligations.
9. Indifference on the part of data controllers to the consequences of their actions when they deliberately and persistently refuse to respect the data protection rights of their customers.
10. Continued lack of awareness on the part of members of the general public (who, as a result, give away their personal information too easily, don’t ask why personal information is needed or fail to ‘tick the box’ to say that we don’t want to be contacted).

BGE issued a short press release advising that it had promptly informed the Irish Police and the Data Protection Commissionerof the theft and that it will be contacting all affected customers. However, since there has been almost a two-week lag between the occurrence of the theft and the issue of the press release today, it is possible that customers’ financial or other personal information could have already been compromised. This is simly not good enough. It is no good doing things right (if you can call a two week delay in advising affected customers “right”) after an incident has occurred; appropriate steps must be taken to ensure that such incidents do not occur in the first place and that, if they do, the risk to information security is minimised or removed entirely. Time will tell whether the “risk assessment” referred to in the BGE statement led them to a correct decision not to advise customers sooner; I hope they got that right.

Organisations must take serious steps to improve security now. Some of the steps they take might include:

• Raising security awareness among all staff and providing appropriate training.
• Assigning responsibility for information security to the right people, not just to the IT department.
• Implementing appropriate and effective security policies, procedures and practices.
• Implementing adequate and effective information security controls and risk management systems.
• Carrying out regular audits of information security practices.
• Encrypting data on laptops, portable devices, tapes, removable storage and other vulnerable media.
• Implementing appropriate controls over removable media and devices.
• Introducing strict penalties for staff who breach security requirements including, for serious breaches, dismissal.
• Revisiting my post of August 2008 for further information on information security.
• Visiting the web site of the Irish Data Protection Commissioner, which is full of good information on information security.
• Reading the 2008 Annual Report of the Data Protection Commissioner, which is an excellent document and gives an overview of the activities of the Commissioner and provides information on prosecutions, investigations, summary data, etc.

Organisations and individuals must realise and accept that information security is not an issue for the IT department alone; it is a business issue and needs to be treated as such. Staff who use laptops, portable devices and removable media must understand that it is their responsibility, not the IT department’s, to keep data safe. And basic security, like locking these devices away or securing them appropriately, as well as encrypting them, must become the norm, not the exception.

Under Irish Data Protection Legislation, penalties for breaches of the law can be severe and encompass both civil and criminal proceedings, fines and forefeiture and destruction of equipment. Bodies corporate and individuals are subject to the provisions of the legislation. Fines of up to 250,000 euros can be imposed. Maybe it is time that fines of this magnitude were imposed. Without tough enforcement, I fear that breaches of the law and loss of personal data will continue to occur.

Kevin Kehoe, who I thank for commenting on my previous post, mentioned that organisations need to assess their appetite for risk. Perhaps it is time to dampen that appetite dramatically and, when it comes to handling the personal private information of customers, staff, prisoners, benefit applicants, etc, accept that no appetite for risk at all is the desired attitude to have.

If you have been affected by the BGE failing and feel strongly enough about the matter to complain, you can get all the information you need to make a complaint from the Data Protection Commissioner’s website.

What do you think? Are you concerned at how easily and how often personal private information is stolen, disclosed or otherwise compromised? Have you been personally affected by a breach of your privacy? Have you lost money or suffered other negative consequences? Have you been responsible for a breach of data security?

Leave a comment and let me know.

If you liked this post, you might also like:

Laptop Theft and Data Loss By Irish Health Service Executive

Data loss by PA Consulting

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!

johnlawlor.tel

.tel is a new top level domain (TLD), launched between December 2008 and March 2009. Operated by Telnic, a UK-based company, the TLD enables users (organisations and individuals) to publish contact information about themselves in a fairly simple, structured manner. While it is possible to access a .tel domain over the web, the suggested power of the system is that it can be accessed quickly and easily using mobile devices like phones, Blackberries and iPhones; it does not require a web site.

The basic idea behind .tel is that it will become an Internet-based directory, keeping all personal or organisation contact information in one place. For example, if a company changes phone number or address, it would only be necessary to change the entries in their .tel account and publish this information immediately to the Internet. With its “free text” feature, an organisation or individual can also post current information, say, about an upcoming sale or event, or a company profile.

The type of information that can be stored in a .tel account includes personal information such as name, address, hobbies and interests; phone numbers; websites; Flickr sites; Skype and Google accounts, and geolocation information. A user can decide what information to make public and what to show to selected people only (Telfriends), who must also be .tel account holders. Organisations can publish similar information as individuals and, using an internal directory structure, can add specific information, such as details of regional or branch offices. This makes it easier to navigate the .tel site.

Given the type of information that a .tel domain holds: contact information; web sites; identities; location information and searchable keywords, it is a little difficult to see how .tel is a lot different from an informational web page, blog, or OpenID profile. Indeed, I have stored all that type of information on many of my websites, blogs, social media sites, etc. I also set up a VeriSign Personal Information Portal (Beta) that provides much the same information as .tel, although it is web-based. It would also be very easy to set up a single web page on your existing domain with all of the information you want on it; by simply changing details on this page, you could, in theory, achieve the same end as a .tel account. However, Telnic say that the benefit of a .tel account is that a website is not needed and that a user’s account can be accessed easily over mobile devices, using very little bandwidth and low amounts of data transfer. They also suggest that there will be many new applications developed to exploit the features of .tel and that, for this reason, it is a useful service.

They offer ten reasons to use a .tel domain:

1. Controlling your information hub
2. Being part of a global online directory
3. Routing customers to your departments and locations
4. Increasing online discoverability
5. Connecting with customers from any device
6. Having an effective online presence
7. Performing live updates anytime from anywhere
8. Promoting premium rate numbers
9. Generating revenue from generic domain names
10. Driving traffic to e-commerce shops.

Before deciding whether to open a .tel account, I did a little research on the web and in discussion groups to see what the chatter in the community was. I found mixed views on the whole concept. Many companies who were selling domains or services were positive about .tel, while many individuals and IT professionals were more sceptical. Some people felt that it was just another over-hyped product. Concerns have also been expressed about privacy and identity theft.  I share, to a degree, the views of the sceptics and wonder how useful and secure this service will be. Nevertheless, I decided to get my own domains, johnlawlor.tel and lawlor.tel, to test their utility. All of the information I have added to my account (johnlawlor.tel only; lawlor.tel is not completed yet) is already publicly available on the Internet, so I am not too worried about publishing it in the one place. However, I have some concerns about the possibility of suffering an increase in spam or phishing attacks and will monitor my email, in particular, to see if there is an increase in these nuisances.

.tel domains cost from around 10 to 15 euros per year. There is no associated hosting cost, as all .tel accounts are hosted by Telnic as part of the domain registration. It’s very easy to register a domain and I registered mine with Blacknight Solutions in Ireland. If you’d like to have a look, check out http://johnlawlor.tel/.

Receive new articles from johnlawlor.ie by subscribing to my RSS Feed or by email subscription. You can also share this post by using one or more of the buttons at the top and bottom of the post. Thanks for visiting!