This speech was delivered at the GAP Congress on Regulatory Affairs: "Opportunities for Business" on 26 September 2008.
Of late Symantec has needed to think pretty hard about the things that our software needs to do, and the regulations it helps government and industry comply with.
The reason we're thinking about this has not been because hackers and criminals are getting much, much smarter. Those guys are always improving, and we already invest a lot of time and energy staying a step ahead of hackers.
The thing that's getting us thinking is the good guys: you, me, your friends. And the reason it's making us think so hard is Web 2.0.
Web 2.0 is an opportunity to embrace innovation, not a reason to scare Australia or make people worry more about security and the complexity of managing regulation. It is worth looking at what Web 2.0 is and how Australians are behaving online these days.
To start, let's ask what is Web 2.0? The definition is kind of loose. But the easiest way to do it is to look at Web 1.0, which was pretty passive. Older websites were all about reading. Web 2.0 is all about writing.
Australians are embracing Web 2.0 in all sorts of ways. In fact, just this month, the federal government released the report on the Review of the National Innovation System Venturous Australia, which details recommendations for remodeling the nation's innovation system.
Among 72 key recommendations was a call for an advisory committee of Web 2.0 practitioners to be established to propose and help steer governments as they experiment with Web 2.0 technologies and ideas. The report indicated that: "Governments should be as open as possible to experiments with Web 2.0 approaches."
In addition, Symantec did research into this earlier this year and the results show that Australians are really getting into this Web 2.0 world.
Here are some interesting bits of data from the survey:
- 47 percent of Australian adults and 54 percent of Australian children use social networking sites
- 54 percent of Australian adults surveyed had made friends online. Of those users 65 percent have translated these online friendships to their offline world
- 54 percent of online adults globally prefer their online friendships the same amount or more than their offline friendships
- 29 percent of Australian adults online globally feel comfortable socialising with strangers online
So I think it is fair to say that Australians have pretty much embraced Web 2.0.
What we might not have thought about is that the things we write when we participate in Web 2.0 are visible to the world. And the information posted to these sites can have some pretty interesting ramifications. Famously, the media learned about the breakup of the relationship between two famous Australian Olympic swimmers when the status on their social networking site changed.
When you do stuff in public, which is what Web 2.0 is all about, you need to realise that people will take it the way they want to, not the way your friends will take it. I think that is a very big, important lesson about Web 2.0. And so perhaps a better definition of Web 2.0 is that it is about an exchange of ideas and information in public!
People are doing this on a vast scale -- we're seeing social networking sites appear around the world and there are hundreds of millions of blogs out there, as well. And this stuff is mushrooming like you would not believe. About 18 months ago, a service that allows you to blog 140 characters at a time, a bit less than an SMS message began to appear. The idea of this service is that you post a short message about what you are doing RIGHT NOW.
People often send some pretty boring stuff. It's common to read messages like "I'm going out to buy some milk." Now that may not sound like fun to you, but millions of ‘micro' bloggers disagree. I mention this because I want to show you just how much Web 2.0 activity is going on out there and explain how real this is to people.
But before I do that, there are two major demographic changes currently occurring in Australia that I would like to highlight. The first change is one that economic demographer Bernard Salt refers to as the demographic fault line.
Essentially, this is the baby boomers starting to leave work in greater numbers than Generation Ys coming through to fill the void, giving rise to the current skills shortage.
The other is change in the workplace is that as Generation Ys report for work, they bring with them a whole new set of attitudes to technology.
The group for which Web 2.0 is most important is younger people, labelled either "Generation Y" or "Millennials".
Research we have conducted suggests that two thirds of millennials use social networks every day.
In Australia's tight labour market, younger workers - often millennials - have made a point of saying that social networks are a critical part of their lives.
They'll tell you that they have grown up with social networks and that they use them to communicate with friends and colleagues as naturally as Gen-X's like me send email!
The idea of restricting or blocking workers' access to Instant Messaging is pretty way out these days. And millennials will tell you that restricting access to social networks is also madness.
There are all sorts of arguments to be made there, because it is a little hard to understand just how giving someone access to social networking site makes them more productive! However, many organisations are developing their own persistent virtual worlds to deliver education and training content in new and engaging ways.
The Millennials deep affinity to social networking tools, loyalty to mobile devices over corporate equipment and instinctive sharing of information poses challenges to business today.
These behaviours are driving the consumerisation of IT and place workers at odds with information risk policies. The picture emerging is shown by research Applied Research-West.
- 75% of IT respondents had policies restricting corporate data on personal devices
- 45% of Millennials confined themselves to company-issued devices or software.
- 69% used applications, devices or technologies regardless of source or corporate policies.
- Inclined to store corporate data on own PCs, USB drives, personal hard drives, online collaboration mediums and smart phones.
These findings demonstrate that in the modern workplace, there is every chance that plenty of people on your staff are going to be using one of the many, many social networks or other web 2.0 tools out there. And they'll be using them while they work.
If you think back to the examples I mentioned earlier, about the scandals that erupted when athletes posted material on a social networking site, you'll quickly understand the potential for seemingly innocent things to get out of hand.
And let's consider the ‘micro' blogs again, while we are thinking about the potential impact of people using Web 2.0 at work.
You can use ‘micro' blogs from the Web, or by SMS. And everyone in the world can see everything you send, just by visiting the ‘micro' blog website.
So even if you prevent access to these sites, your team could be sending news of what they are doing in the office out into the world.
If they are talking about buying some milk, that's not a worry. But if they send a message like "Have just been briefed on next week's product launch", you've got something of interest to all sorts of folks.
The lesson to learn here is pretty obvious, namely that social networks and Web 2.0 represent a new way for information to leave your business.
Now some people would say that the bad guys could not possibly be looking at a blog post to try and find a way to attack your business. But the opposite is true. The bad guys realised a long time ago that brute force is not the way to get things done.
And if you have a quick think about the recent history of hacking, you'll see how and why. Computer viruses have been around for a long time now. And about a decade ago, viruses made a big splash. Anyone remember the "I Love You" virus? It emailed everyone in your address book. That was a pretty big inconvenience and that virus got squashed flat. Hackers took note of that, and they also noticed that while I Love You made a mess, it didn't make any money.
These days, criminals still write viruses and other malware like key stroke loggers and screen scrapers. But they don't bother making a splash.
Symantec's twice yearly Internet Security Threat Report - a major, global piece of research we do into current security threats - tells us hackers are far keener on making money. They do so in a variety of ways, but the best way to do so is by getting their hands on information.
A great piece of information is a user ID and password. A criminal can use that to steal your identity and empty a bank account. In fact, the Australian Federal Police estimates that identity fraud costs the community up to $4 billion per year.
Additionally, the Australian Payments Clearing Association reported in May 2008 that the largest component of credit and charge card fraud relates to card-not-present and cross-border fraud - online fraud. Even though technology drives global markets it is also driving a mature underground economy based on supply and demand and fraud prevention continues to be a key priority of the security industry.
We are also seeing that other information is also valuable. Some files about your next product have value in the criminal underground. Another attack sees criminals encrypt all your data so you cannot read it ... then demand a ransom to make it all readable again.
These attacks have made it important to protect the data in your business and the community has therefore recognised that there are several things to defend against. One is portable storage devices.
By now, most businesses have recognised, for example, that allowing employees to bring their portable music devices to work so they can listen to music is not a bad thing. But many have also woken up to the fact that these can now contain massive hard drives - the newest models released a couple of weeks ago can store 160 gigabytes! These devices have fast connections and can "slurp" data out of a PC in a few seconds. Because they are just a portable music device, we all see dozens of them every day; no-one used to worry that a staffer walking out the door at the end of the day could also be walking out with the blueprints for your next product or information relating to your next M&A activity.
But business has now woken up to this problem, and the similar risks that come with email, USB memory sticks and a whole range of other technologies. Email, IM, Wiki's, share points are all other ways data can leave your control.
So how can organisations manage risk in this new, Web 2.0 environment? Technology is one answer. We are responding to this problem with a technology called Data Loss Prevention (DLP). DLP makes it much, much, harder to take documents and data out of a business by email or portable storage device.
But social networks represent a new problem. People now have so many ways to communicate, from so many devices, that the chance for business information to leave the building is high.
When information leaves the building, bad things happen. I've outlined some of them above. But of course information does not have to reach criminals for bad things to happen.
Recently confidential information on CD has been left an airline's business lounge, a major retail events company accidentally emailed its database to customers, and information on prisoners and a whole bunch of police records went missing on a memory stick. Laptops, phones, CDs and DVDs all get lost and stolen. A combination of policy and technology can help prevent these things from happening. It's interesting to note that on average 96% of data breaches are accidental or inadvertent i.e. not malicious.
But I have to admit that we share a common trait with any other business: imperfection. Tools are good. But they cannot stop every scenario in which someone does something silly. Nor can they stop people leaking information using Web 2.0 tools, especially when that leakage is an inadvertent result of forgetting about the reach of those tools.
In the future, we expect it will become even harder to lock down information. The bad guys will get worse. More and more communications tools will become available, making it harder and harder to control them all. And organisations will have to strike a balance between controlling risks and offering choice, flexibility and maximising productivity.
This changing nature of the workforce, work habits and work life, all impact regulation both current and future, and its role in securing a Web 2.0 world.
In the USA, several states now have laws that make it compulsory to disclose when private data is lost or in some way removed from conditions of appropriate safety. Australia is looking very hard at the same kind of laws.
Just recently the Office of the Privacy Commissioner published its draft voluntary data breech disclosure notification guidelines and the Australian Law Reform Commission concluded its largest research and public consultation which recommends 295 changes to the 20-yr-old Privacy Act to help keep pace with the information age.
Professor Weisbrot from the Australian Law Reform Commission explains the current Privacy Act, legislated in 1988, was created in completely different environment before technologies like the Internet, e-commerce and social networking augmented the challenge of safeguarding personal information. Commissioners didn't have mobiles, PC, email, digital cameras, broadband. Since then, the information we gather has stayed the same but technology has allowed us to access, control and manipulate it much easier.
E-medical records, online banking, social networking, collaboration are just a few technologies revolutionising the relationship between public databases, individual privacy and third party users.
Symantec welcomes the introduction of mandatory notification of consumer data breaches in Australia. We welcome this regulation because breach notification disclosure requirements create a powerful educational imperative for businesses, individuals and policy makers. We think that imperative is useful, because we know the bad guys are hard at work trying to steal data.
And as I explained earlier, it is easy to recognise how Web 2.0, which is in the workplace and will be hard to get out, makes the risk of leakage higher every day.
Regulation that encourages organisations to take this issue seriously is a good idea. Because it is costing the economy, both in financial terms and in consumer trust. We feel that additional regulation could also be useful.
Australia's cybercrime legislation, for example, is strong at federal level but lacks the buttress of strong, complimentary State laws covering unauthorised access to computers, computer-related fraud and computer-related forgery.
Our Anti-Spam laws could usefully be amended so that instead of email recipients having to opt-out of receiving unsolicited email, they must positively and actively opt-in before it is possible to send any commercial communications.
But the most important thing we can all do, as I think some of the social networking incidents I discussed earlier illustrate, is educate ourselves and our people about how the tools we use today can spread information; and how the people that can access that information are likely to use it.
Finally; regulation, education .... and a little common sense, are the things that will really let us all take advantage of the extraordinary opportunities technology offers whilst managing risk, complexity and compliance, to give us all confidence in a connected world.
Vicepresident for technology security company Symantec Asia Pacific, Craig Scroggie is also a graduate and fellow of the Australian Institute of Company Directors, a fellow of the Australian Sales & Marketing Institute serving on their National Advisory Committee, a trustee for the Committee for Economic Development of Australia, and is a non-executive director and board member of the Storage Networking Industry Association (SNIA).
________________________________________
Craig Scroggie was a keynote speaker at the GAP Congress on Regulatory Affairs, held in Parliament House of Victoria on 26 September 2008 in Melbourne.
To read keynote presentations by other speakers, go to our 'Regulation as a Business Opportunity' discussion forum.
_________________________________________
RECOMMENDED BLOGS & FORUMS:
Printer friendly version