There is a clash of cultures happening in the world of ICT in businesses and organisations. Information security is being compromised on a scale that is difficult to quantify, but must certainly be huge. Many workers in schools, local government and public sector organisations have files and folders on computers that they should not be on. The rules more or less state that if you have some information about someone, whether it is an incident that you are dealing with at work, or the grades for a child, that you should keep that information private and it should only exist on official work machines. The trouble is that information has always been governed by the laws of entropy in a way that we haven’t discussed enough. Entropy is that state in nature that is commonly called disorder; you can build a beautiful boat, but given time without careful maintenance it will fall apart and rust, eventually returning to dust if you wait long enough. Entropy is the natural tendency of ordered things in the universe to become less ordered. Cosmologists recognise that our universe is moving from a highly organised initial state to an increasingly disordered and collapsing state. Anyway, enough physics, information about people is subject to increasing entropy through the use of more and more personal computing devices. It was easier to keep personal information secure in one location before the widespread use of PC’s. 15 or 20 years ago, that information would have been more often than not in physical files in a storage area, and anyone accessing them and perhaps taking them home to work on would have been well aware that they were dealing with a “manila” folder or some other paper product that had to be returned promptly and would be very conspicuous if left around. As these files have become more commonly digital, workers might be tempted to finish some work at home by taking the files home and “temporarily” working with them on their home pc’s. If these files are forgotten, they are not conspicuous and are easily left on the drive, even if they are also returned to work in their modified state. So information is now easy to leave lying around on private machines which are convenient for workers to use. Entropy increases by files migrating onto home machines and portable drives and memory sticks etc.
One commonly enacted answer is to only allow workers to use certain machines, which are fully encrypted and password protected. This certainly works to a point, the trouble is that people generally hate using them. These machines are usually limited to only certain functions and the ability to copy files or put USB drives in them is blocked. If you are dealing with personal financial information or social work files to name but two, you will generally understand this and comply; if you are working with more general information, such as meeting notes listing what individuals have said, but not storing financial or medical information, you might become a bit more blasé. The reality is that workers today are increasingly highly connected internet users and their PC’s or tablets are more that workhorses, they actually become treasured possessions, almost as though relationships are being formed between workers and their “Macbook Airs” to name one current example. This should not surprise us as it is not at all unprecedented. Many people have similar relationships with their cars, and even where the business offers pool cars for use, many will use their own as they have bonded with its features, smells and “feel”. The computer I am typing this on, a Hewlett Packard netbook was marketed under the slogan, “the computer is personal again”; that was what set me thinking about the way many people feel about these mere machines. This simply causes people to prefer working on a favourite, personal device, which has no restrictions, a nice “feel” that you (not the company) has chosen and no “irritating” proxy server settings or OTT security software slowing it down. In a nutshell, this makes a strong temptation to email those files to yourself to work with on your own machine, (to safely delete of course afterwards). Entropy is inevitable and digital files and personal computers on average are increasing it at an accelerating rate. I wonder how many so-called-knowledge workers would be happy with a security specialist trawling their machines at home for information that shouldn’t be stored there and sitting around your home. For that matter, I wonder how many of these same workers would be happy to have their work notebooks, (I mean the old fashioned pen and paper kind as well as their laptops) checked if they take them home in their bags or briefcases?
So why do I claim that there is a clash of cultures? Eric Schmidt, former CEO of Google famously said that “privacy is dead, get over it”, and whether you agree that he should be this blasé about many people’s deep seated need for and right to privacy, you would have to be living as a hermit somewhere not to notice that he at least has a point. One quarter of all internet activity is on Facebook, the social networking site, and I very much doubt that all of those users, 800 million roughly, are highly skilled at protecting their online security. Most people are proving that they don’t care THAT much, and that convenience and fun are a good trade-off for perfect privacy. Google themselves aggregate frightening amounts of information about you, and use it to target highly specific adverts to you. (I am currently getting pop-ups about new Android phones as I read a few articles about the latest ones.) Few people avoid Google search and in fact much of the web as a result. I think the conclusion is we say we care deeply about information privacy, but we are proving on the whole to be remarkably cavalier about it! Perhaps a case of “act on what I say I believe, not on how I actually behave”. This comes full circle to schools, companies and organisations again. We say publicly that information security is important to us, but I’ll bet that teachers’ home computers are littered with text about children’s reports that they have not got round to deleting, or worse, that it is just more convenient to keep there for future reference.
This culture clash is one of a clearly established trend to information convenience for all of us, with a public that is capable of becoming righteously indignant over privacy breaches. This makes information security is something of a “fluffy cat” issue for us; by which I mean, we enjoy stroking and playing with the fluffy puss, it gives us comfort and fun (work with me here dog lovers), but it still has claws and even the most ardent felinophile will confess that the claws appear from time to time, it’s just rare and a bit difficult to predict when…
So what is the answer? Predictably, corporate ICT departments and Information officers will simply insist that no information is ever taken out of the workplace and that rules about file encryption and data protection are utterly sacrosanct, but it won’t make any long term difference, people are blasé about personal devices and privacy of others, (even when righteous about their own in my experience), and this genie is out of the bottle. As with everything in a complex world, the first instinct is to push harder the rules and approaches that used to work, but we must eventually bow to the complexity, and try to talk more about it, and come up with new solutions for new times.
Perhaps the answer is for workers to be given fully encrypted machines which they own fully, (perhaps paying for them gradually from salary) and with no unrealistic restrictions so that people will want to use them and mixing business with personal won’t be such a danger.
Perhaps giving workers free encrypted USB drives to use so that they won’t use unencrypted personal ones (so often!).
Perhaps going paperless to ensure that all work is on a password protected machine.
Anyway, going backwards to old-fashioned ideas will make security managers feel safer, but it won’t solve the problem.
(Note to fellow physics teachers: I know I have shockingly oversimplified entropy, sorry, and to paraphrase Schmidt: Get over it).