The biggest online security risk: humans
Following up on a post about the top Web 2.0 security threats I thought I would take a quick look at what I mentioned as one of the biggest security threats to any company: information leakage.
All the delightful modern collaboration tools we use--blogs, wikis, SaaS applications, etc.--just make it easier for your corporate information to walk out the door. Regardless of the systems or applications your company uses, odds are any piece of data can (and will) be accessed, e-mailed, written down, or just remembered by a large percentage of your staff.
Information Leakage: Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their Web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
Generally speaking, information leakage is nearly impossible to contain, regardless if data is Web 2.0 browser-based or not. Think back to the last time you used a public Web terminal at an event or hotel--I can't remember a time when I couldn't just hit the back button or history tab that at a bare minimum revealed the last users' e-mail address.
So what can you do to protect your business? The truth is that there are few non-draconian methods available to protect your data and ensure that people are using collaborative tools effectively. In this case, prevention is the best medicine.
In doing some research for this post (it happens) I heard from a number of large organizations that the smartest thing that Lenovo did with the ThinkPad was to put in the biometric identifier. But not because it's a better authentication method (it is), but because it forces users to put security top of mind. That psychology trickles down to everything they do and the way they approach security in general.
A few tips from a security consultant friend:
- Teach people to not be stupid--prevention is the best medicine. Remind people not to click links or open spam.
- Use strict access control permissions--odds are most users fall into groups that can be restricted from noncritical areas. This goes for everything from corporate wikis to Salesforce.com
- Implement single-sign-on (SSO) or other ID management tools--Tools that better track user activity and provide an audit trail may provide insight if things go wrong.
- Use two-factor authentication for Web-based applications--even an Apache .htaccess plus log-in screen is better than nothing
Dave Rosenberg dishes up "Software, Interrupted" with nearly 15 years of technology and marketing experience that spans from Bell Labs to multiple start-up IPOs to open-source enterprise software companies. He is co-founder of MuleSource and currently serves as the general manager of Hardy Way. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. You can contact Dave via e-mail at softwareinterrupted@gmail.com or follow him on Twitter @daveofdoom. 
But yeah - it's good to remind folks from time to time to stop and think.
- by mdsudan February 19, 2009 6:11 PM PST
- Good point.
- Like this Reply to this comment
-
(3 Comments)Even on the personal side i am finding that Web 2.0 apps enable some interesting amount of personal information out.
For example if you know a person through Facebook and some how manage to connect to them on Geni. You have fairly detailed information like Date of Birth, Mother's maiden name, siblings, pets, care preferences etc.
Do you know what the Hint question / answers on half the world websites point to... these above questions.