Social Sharing May Be Eroding Office Security
The social media generation thinks nothing about sharing data on personal devices while at work. That may be sparking a generational shift in how organizational information is valued, a social media side effect that could open the door to more security threats in the future. Younger workers aren't endangering office networks on purpose -- they just have a more lenient view on broadcasting personal or work data.
04/22/13 6:00 AM PT
It's no secret that security experts don't have a lot of love for social media. Information freely available at social media sites makes it easier for net marauders to fashion targeted attacks on organizations.
However, social media may be undermining data security in a more profound way.
Much has been made of the growing willingness of people to cough up personal information about themselves online for a variety of reasons. Those attitudes are bound to eventually affect how people treat their organization's data, according to Chris Petersen, founder and CTO of LogRhythm.
"Younger workers are more willing to take data and share data and think it's not that big a deal," he told TechNewsWorld.
"It's not necessarily malicious," he continued, "but the sensitivity around the handling of private, confidential data has eroded socially. We've gotten to the point where we value privacy and confidentiality less in our personal lives. I don't know how that doesn't permeate into the workforce."
Use of social media by employees creates a greater risk to data security for almost all organizations, according to Michael DuBose, leader of the cyberinvestigations practice at Kroll Advisory Solutions.
Employees can be posting valuable information about where they work, or different aspects of the work place, that can be manipulated by outside hackers, he explained.
"Employee attitudes toward information, generally, are becoming looser as to what they define as personal information and business information," DuBose told TechNewsWorld.
Part of that problem is caused by employees using personal devices to perform business functions. "Security now relies on an uneasy partnership between professional and personal use of these mobile devices," he noted.
Companies aren't budgeting to protect their intellectual property resources, according to a survey released by Verdasys.
Business brass are aware of cyberthreats and are budgeting to address them, but they don't take into account revenue losses should intellectual property be stolen, noted the survey of more than 400 security decision makers conducted by Forrester Consulting.
"The IT department simply budgeting for security based on historic data is no longer sufficient," the study said. "Organizations need to prioritize their security spending decisions based on real expectations of the impact on revenue if cyberthieves steal important IP."
Two studies released last week noted how security could get in the way of company sales.
While 85 percent of some 300 IT pros surveyed by Voltage Security acknowledged security added to the value of their company, more than a third (40 percent) lost a sale because security measures prevented them from getting the information they needed, and nearly half (46 percent) circumvented those measures to get what they needed.
"It is safe to assume that with the majority of people working for major organizations with more than 5000 employees, the loss of a single deal can be detrimental to business and may well cause millions in damage," said Voltage's Senior Director Dave Anderson.
Consumers, too, can be deterred from making purchases by security measures, as was pointed out in a survey of some 200 shoppers from around the world conducted by the Ponemon Institute Ponemon Institute and sponsored by Nok Nok Labs.
Nearly 50 percent of those shoppers were "very frequently" or "frequently" prevented from purchasing items from a website due to authentication problems.
Those problems usually entailed forgetting a password, username or answers to security questions.
Irritation can be exacerbated if a site tries to toughen its authentication procedures, according to Rapid7 Chief Security Officer HD Moore.
"The more time you spend forcing people to create complex passwords or force them to change their passwords on a regular basis, the more you increase frustration," he told TechNewsWorld.
- April 15. Schnucks grocery store chain reports more than 2.4 million credit card numbers were compromised in data breach that affected 79 of its 100 stores from Dec. 10, 2012 to March 29. No cardholders names or other identifying information was compromised, the chain said.
- April 16. A survey of 250 IT professionals by Lieberman Software reports that more than 70 percent of the respondents would be unwilling to bet US$100 that their organization will not suffer a data breach in the next six months.
- April 17. Judge James Pohl postpones until June proceedings in "September 11" hearings being held at Guantanamo Bay Naval Base, because thousands of defense emails were apparently accidentally turned over to prosecutors in the case.
- April 18. LulzSec member Cody Kretsinger, 25, sentenced to one year in prison for breaking into Sony Pictures website and sharing information stolen from there with other hacktivists. Authorities estimate damage caused by breach to be more than $600,000.
- April 18. Survey by the Economist Intelligence Unit of 750 consumers globally reveals that 32 percent of the participants said they'd stop doing business with an organization suffering a data breach. Survey also found 23 percent said they'd suffered a data breach in the last two years.
Upcoming Security Events
- April 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: April 19-25, $1,199.
- April 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: After April 19, Pounds 20.
- April 23. Cyber Security and Critical Infrastructure. 2:15 p.m. -- 3:45 p.m. ET. Webinar, part of spring meeting of American Bar Association Section of Public Utility, Communications and Transportation Law. Webinar. Members: $150. Government: $99. Non-members: $195.
- April 30. How to Ensure Your Workforce Is Secure When It Is On-The-Go. 7:15 a.m.-3:45 p.m. Washington D.C. Convention Center, 801 Mount Vernon Place NW Washington, D.C. Spring Town Hall Meeting of Mobile Work Exchange. Government: free. Non-government: $495, Apr. 6-29; $595, Apr. 30.
- May 8. Securing the Mobile Workforce from BYOD to Teleworking. 1 p.m. ET Government Security News Webinar. Free.
- May 15-16. NFC Solutions Summit. Hyatt Regency San Francisco Airport. Registration $760-$1,020.
- June 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for non-government attendees: Mar. 3-Jun. 10, $495; Onsite, $595.
- June 14-22. SANSfire 2013. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Course tracks range from $1,800-$4,845.
- July 24. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. Newseum, Washington, D.C. Registration: government, free; non-government $495, April 10-July 23; $595 July 24.