Following up on a post about the top Web 2.0 security threats I thought I would take a quick look at what I mentioned as one of the biggest security threats to any company: information leakage.
All the delightful modern collaboration tools we use--blogs, wikis, SaaS applications, etc.--just make it easier for your corporate information to walk out the door. Regardless of the systems or applications your company uses, odds are any piece of data can (and will) be accessed, e-mailed, written down, or just remembered by a large percentage of your staff.
Information Leakage: Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their Web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
Generally speaking, information leakage is nearly impossible to contain, regardless if data is Web 2.0 browser-based or not. Think back to the last time you used a public Web terminal at an event or hotel--I can't remember a time when I couldn't just hit the back button or history tab that at a bare minimum revealed the last users' e-mail address.
So what can you do to protect your business? The truth is that there are few non-draconian methods available to protect your data and ensure that people are using collaborative tools effectively. In this case, prevention is the best medicine.
In doing some research for this post (it happens) I heard from a number of large organizations that the smartest thing that Lenovo did with the ThinkPad was to put in the biometric identifier. But not because it's a better authentication method (it is), but because it forces users to put security top of mind. That psychology trickles down to everything they do and the way they approach security in general.
A few tips from a security consultant friend:
- Teach people to not be stupid--prevention is the best medicine. Remind people not to click links or open spam.
- Use strict access control permissions--odds are most users fall into groups that can be restricted from noncritical areas. This goes for everything from corporate wikis to Salesforce.com
- Implement single-sign-on (SSO) or other ID management tools--Tools that better track user activity and provide an audit trail may provide insight if things go wrong.
- Use two-factor authentication for Web-based applications--even an Apache .htaccess plus log-in screen is better than nothing