The Futility of Blocking Web 2.0

This morning I attended a seminar about blended threats. The breakfast was great (and laid on by the sponsor) and was followed by an interesting presentation by McAfee about ‘blended threats’ and how their new products can protect organisations against web 2.0 threats such as data leakage through personal use of the internet.

That in itself was interesting but unfortunately another member of the audience stole the show.  He was the rather outspoken head of security for a public organisation and to my mind took a rather old fashioned approach to information security – block it using technology and your problems are solved. To give you an idea, the organisation has only just made the internet available on employee desktops.

I struggled to keep quiet as it wasn’t the appropriate forum to have a debate about whether or not employees should have access to web 2.0 tools (let alone the internet). Interestingly though the presenters also stepped back from the argument. Not surprising though as their product was based on the assumption that employees had fairly open access to the web.

But it did get me thinking.  What is more risky: employees who use work tools for some personal use, or employees who use personal tools for some work use?

In one scenario I can sit at my desk and can do the odd bit of banking or check my Facebook page on my breaks.  In the other I can’t. But if I want to use a web 2.0 tool for something at work but can’t, I’ll use my personal device instead.

In scenario one, work still controls the information, they trust me to use the internet and I trust them not to snoop into my private affairs. In scenario two, there is no trust and I will take company info outside.

Web 2.0 tools are a fact of life for most people who use the internet. There are lots of opportunities to use instant messaging, social networking or photo sharing websites in security awareness campaigns.  Many of them have good security options which can be used to teach people about privacy controls for example. But if as the head of security I don’t allow you to look at these then I can’t really use them as examples can I?

Hire Me, Hire My Ipod

A survey by Accenture looks at how generation Y view the place of technology in the workplace.  In a nutshell, the report concludes that this cohort prefers workplaces which offer state-of-the-art technologies.

 

State-of-the-art in this case means open source, collaborative communications which are instant (e.g. instant messaging) rather than asynchronous (email).  They also want to choose  and use their own hardware, and expect to be able to access their preferred applications at work, which includes social networking websites.

 

When it comes to posting work related information (including information about their clients) on public websites, 60 percent of ‘millennials’ said their company either had no policy, did but it was too complex, or they ignore it anyway.

 

This information will come as no surprise to many security professionals as this kind of threat is often reported although it is not often backed up by research.  And while the data might be a little skewed ( it includes respondents as young as 14 who are still at school and probably more likely to say they would rebel against company policy) it does provide food for thought for those with responsibility to secure corporate networks and information.  It shows that not only does the emerging workforce have the ability to compromise a company’s information assets, but they are also quite willing to accept the risk if it means they can play with their favourite web 2.0 toys at work.

 

Like it or not the challenge has been laid.  Attracting the best and brightest talent from the millennial cohort now means figuring out how to accommodate their web2.0 lifestyle without compromising the organisation’s information security.