Government manages by landmine, as do many private sector businesses – I don’t think anyone would disagree. Government cannot be convinced to act proactively in the face of a perceived threat – the impact must be actually felt before legislative or board action is taken. Predictions of lost business, brand damage, fines, or increased regulatory oversight fail to move the needle – although recent class action suits and accusations of executive gross negligence seem to have some pucker power.
Policy, or the set of rules under which we are either mandated to, or agree to operate can be a powerful security tool – especially with a technical enforcement mechanism, and we’re coming up on the time when policies are needing a hard look for what they can achieve.
Way back when I was CISO of a US City known for its tech business, we collected metrics used to demonstrate that 40% of the compromised assets in the organization were due to the use of personal e-mail. 40%! After spending all the money to ensure that Outlook was free of bad attachments, links, and spam – users could have a web browser open to their ISP email account, happily going through all the clickbait they’ve attracted through online activities. So how effective was it to spend all that money? Further, it’s reported that 91% of “hacks” start with phishing to obtain credentials for easy entry, and social media exposures make the creation of compelling bait that much easier.
So follow the logic here: attacks start with phishing for credentials, social media sites are rich sources of targeting information, and personal e-mail use is a significant attack vector. Therefore, disallow personal use, and a lot of the problem goes right off a cliff! Through a policy change! If personal use was constrained to personal devices, you will have raised the cost for threat actors to gain entry.
Everyone understands that the Internet is a useful tool for research, marketing, outreach and customer engagement. But those activities are different from the entertainment aspects of social media, personal communication, and just “surfing” – so technical enforcement of the policy would be nontrivial. However, a stated policy, combined with the occasional public hanging for noncompliance would be a powerful demonstration of commitment. The time is coming to separate the church of Facebook from the state of business and government operations.