Summary : I recently read a survey about the dangerosity of social networks regarding to information leak, relying on the observation of a representative group of people. That’s a hasity concusion : it only proves that information security is not only a matter of technology but of usages, behaviors, a dimension that IT departements still barely master because they consider the issue from a technological standpoint. As an evidence, it seems that IT people are those who are the most likely to have dangerous behaviors, maybe because they only consider the technological side of the problem and overlook the behavioral one.
Recently I found a study about the dangerosity of some tools considering information leak. It says that email is the first cause of leaks (but is it a surprise) and that social networks are becoming a growing cause of such issues, what is not surprising because as they’re becoming more and more popular the risk is growing proportionally.
When I’m asked my opinion, my answer is always the same : no tool is dangerous by itself. It’s usage can be. Said differently : an irresponsible person is dangerous with any communication tool, even a homing pigeon. And the best way to fight irresponsibily is education, not interdiction. As a matter of fact when people are prohibited doing something without being educated, they send their time cheating with the system what may cause even more problems.
This study won’t make me change my mind. The way it was conducted is quite interesting :
The study sample group included 2,000 users from all over the world registered on one of the most popular social networks. These users were randomly chosen in order to cover different aspects: sex (1,000 females, 1,000 males), age (the sample ranged from 17 to 65 years with a mean age of 27.3 years), professional affiliation, interests etc. In the first step, the users were only requested to add the unknown test profile as their friend, while in the second step several conversations with randomly selected users aimed to determine what kind of details they would disclose.
The study showed:
- More than 86 percent of the users who accepted the test-profileâ€™s friend request work in the IT industry, of which 31 percent work in IT Security
- The most frequent reason for accepting the test profileâ€™s friend request was her â€œlovely faceâ€ (53 percent)
- After a half an hour conversation, 10 percent disclosed personal sensitive information, such as: address, phone number, motherâ€™s and fatherâ€™s name, etc â€“ information usually requested as answers to password recovery questions
- Two hours later, 73 percent siphoned what appears to be confidential information from their workplace, such as future strategies, plans, as well as unreleased technologies/software
Some points to notice.
– some people accept a friend reques from an unknown person. It confirms my assumption. The problem is about people and the way their awareness about this kind of issue has been raised. There are two options. Either they would do exactly the same if they bumped into this nice looking girl in a bar and a full education program has to be implemented across the orgation or the fact they are online makes them lose their common sense and they have to be taught than the web is like real life : don’t follow a stranger.
Let me add that we already have more dangerous tools than social networks : familiy lunches, parties with friends and colleagues have been perfect situations for information leak for ages. I don’t even mention discussions in trains, people you can read their laptop screen when seated next to them etc…
– IT people are even more dangerous than others. Of course because they only see things through a technological point of view and only consider technological responses. A secured tool can be real strainer if people don’t use it well. Non IT people perceive the risk through a behavioral point of view, they analyze the nature of the context and of the relationship and may be more mistrustful.
Conclusion : anything that has to do with information security is not only a matter of technology and IT people may not be the best to handle the whole problem. Security is about technology and behaviors, this second point needing a specific program to be approached.
A last example. What’s better ? An employee who’s aware of dangers and uses Facebook or a non aware employee that can’t use facebook at work but uses it on mobile and at home ? The second is made harmless while he’s in the office but will be dangerous when he’s outside unless he’s educated.
Of course, pushing the “off” buttion is easier than implementing an awareness program. But it doesn’t solve everything.