Wikileaks: Lessons for CEOs. Information Security Management is there to protect, not to ignore

Like nearly everyone else on the planet, I’ve been transfixed by the ongoing saga of WikiLeaks’ release of hundreds of thousands of secret diplomatic cables.  Leaving aside all questions of the ethics or criminality of either the leakers or the diplomats whose activities were revealed, it’s a fascinating story about information security — or the lack thereof — with important implications for any organization that feels a need to protect some of its information from prying eyes.

The main lesson is simple:  information security is hard.

If the US State Department and military can screw up this badly, every organization on the planet should take a hard look at their own internal competencies.  And make no mistake about it:  whatever you think of the leakers, they have revealed an appalling lack of sophistication about how information should be protected in the age of the Internet.

I’m not privy to the internals of the affected systems, so my information is based on possibly-flawed news accounts, but the emerging picture is astonishing.  It appears that anyone with the lowest level of security clearance is able to gain access to far more information than he needs for his job. Otherwise, it’s hard to imagine how anyone — even with a much higher clearance — would be able to download so many documents without being noticed.

An important corrolary should also be obvious, though hard to enforce:  even the most important users need to take security protocols seriously!

If the Secretary of State is going to authorize an obvious no-no like stealing credit card numbers and other personal information from UN diplomats, she shouldn’t say so in a document with the lowest level of security classification.  All the security mechanisms in the world are to no avail if important people are allowed to ignore them.  This has implications for every CEO in the world:  as important as you are, your information security team should have a veto over certain kinds of actions that you might take.

To paraphrase Lord Acton: in the age of the Internet, absolute power can embarass absolutely.

But the most important lesson from this sad affair may be the importance of truly independent third parties.

It’s incredibly hard for an IT security specialist to stand up to a CEO or a Secretary of State.  It’s more likely to happen when that specialist is relatively protected, as part of an independent organization whose sole job is to protect and secure information for a client organization.    This is why we have independent auditors and certifiers and consultants, and it’s also why most organizations are better off outsourcing most of their information security tasks.  (Knowing who to trust in such outsourcing is no easy matter, but it’s easier than knowing everything about information security policy internally.)

I’d love to brag about how Mimecast’s customers appear to have better security than the US State Department.  But the revelations about the latter’s information security are so distressing that it’s a shockingly modest claim, and one that I hope most of our competitors can also make.   Nowadays, outsourcing much of your information security to almost any specialist company is likely to yield better results than trying to do it yourself, whether you’re a small law firm, a giant multinational, or the most powerful government in the world.


A Little DLP can Protect from the Enemy Within – oh, and WikiLeaks

The headlines couldn’t be more relevant as I read through Dawhinderpal Sahota’s blog post about the 2010 KPMG Data Loss Barometer report.

Sahota’s writing picked out a few key gems from the KPMG report, the thrust of which made the claim;

A fifth of all reported data loss incidents in the first half of 2010 were a result of malicious attacks from inside the organization.

The headlines I am referring to are of course screaming about the latest WikiLeaks release; which like the last is bound to have come from an insider with “authorized access” to the system storing the data.

But as someone who has spent most of their career in IT Security this is not really news to me. We’ve known for a long time that the ‘people’ are always the weakest link in any security solution or policy – as humans we have a  natural ability to want to help people and trust them, assuming they are up to no good is hard for us.

Sahota’s blog points out that, as organizations (read, the IT team) get wise to hackers, the criminals are tempting the staff to pass on valuable information. Which is very true, but I think there is a stronger motivation at play here too, as the Wikileaks data shows. The motivation of the “Do-gooder” or the idealist who believes the public should be made aware of the ‘secret’ data they are looking at, presents a significantly greater threat. We need to rethink how we solve this problem with these two types of motivation in mind.

The KPMG report, and Sahota’s post, goes on to single out the Healthcare sector as suffering a large proportion of the leaks, mostly due to the working practices of its users. Sharing of passwords, portable media and accidental leaks all present a wide channel for data to leak out of the organization, but almost all Sectors share these same issues, and most try to combat them with awareness and education for their employees.

I think a better solution is to look towards technology. For example, password sharing can be mitigated by the use of Biometric two factor authentication. Portable media problems can be eliminated with the use of Centralized Endpoint Device Control Systems and of course all external channels can be protected once efficient DLP (Data Leak Prevention) tools have been deployed.

Each type of motivation for the attack or leak is going to need different a consideration. Education, awareness, technology and a good dose of luck are just the start of protecting your data from the baddies or publicity like WikiLeaks.


How the Cloud is Consumerizing Corporate Email

For many years I have been telling IT managers and CIOs that corporate IT and email will have to fall in line with the plethora of free consumer email platforms available. The simplest form of this discussion compares the ‘few hundred MB’ quotas corporate users are given for their inboxes, compared to the several GB they get from web-based email systems.

For most of those years IT managers and CIOs have been telling me there is no way they could possibly compete, their users will have to make do. Some even used to joke, their users would never need a 7GB inbox; “this is email we’re talking about here” they would chuckle.

Gartner, the analyst firm, has recently qualified my thinking by publishing a report that verified that indeed the use of Public email systems is undermining corporate intellectual property & email. Specifically that;

The consumerization of IT has led to employees’ increased use of consumer-oriented, Web based e-mail, even where such usage is against corporate policy. Typical use cases include transferring files that are too large to transit the corporate e-mail environment, containing file types that are not supported, or  sending documents to a personal e-mail account to be accessed from home or another location.

After reading the report, two key issues struck me. Firstly; the authors have missed a key opportunity to weave in ‘modern day’ email management tools like Data Leak Prevention (DLP). Secondly; this whole issue makes a particularly compelling case for the adoption of cloud email services, as that’s exactly what the users are doing, with or without your control or approval.

The basis of their writing, is that users who are limited by inadequate or antiquated corporate IT systems are using cloud based webmail services such as Yahoo, Hotmail and Gmail to circumvent the limitations of their business systems. At the very least, forwarding an email ‘home’ has been common practice since Ray Tomlinson coined the @ symbol. Gartner rightly point out that;

When internal collaboration tools and environments fail to provide the necessary functionality, people fall back on the growing number of freely available  external tools and services that are targeted at consumers and provide the easy-to-use functionality they crave. These consumers are not specifically trying to break security; rather, they are simply trying to get their jobs done.

My Advice

Echoed by Gartner, has always been that banning and blocking users from using webmail services is unhelpful and unproductive, simply making the IT department look like an “impediment to business operations.” The more innovative and intelligent approach is to examine the flow of information through your email system and then deploy a DLP solution to catch anything that should be staying within the organization.

Secondly, and the much more obvious point, is that users are adopting cloud based solutions “to get their jobs done” – as Gartner points out, the recent enhancements to Hotmail are focusing on ‘time saving” and “productivity” which are more likely to attract corporate users. Regardless of your position or opinion of cloud based email systems, your users are making their way to the cloud. As with everything corporate the users are driving the technology; IT managers and CIOs should be examining ways to keep up.