Weaving news into awareness
Today I've been searching for news items to illustrate the awareness materials on workplace security, particularly incidents involving corporate information.
At first I thought maybe we have over-estimated the risks: Googling for, say, "office security" brings up stacks of news about MS Office but not so much on traditional office break-ins, fires and the like. "Commercial burglary" was a more productive search term but still not exactly overwhelming. Likewise searching for "theft from vehicle" leads to a plethora of brief police incident logs and the occasional news piece about laptops and other IT gizmos stolen from parked cars - seemingly just opportunistic thefts by druggies.
Digging a little deeper, though, I realized that those police incident logs indicate a level of crime so widespread and commonplace that it is barely newsworthy any more. Tot up all those little incidents involving theft of computers, laptops, iPads, smartphones and the like, including that aren't even reported to the police, and the sheer scale of it is almost overwhelming. It's not that it isn't happening, so much as it is tolerated by society, expected even. We've become complacent, especially now that the technology is so cheap as to be disposable - not so the information content however.
Digging deeper still, I've been reminded of several more serious incidents reported recently - things such as the enormously disruptive incident at British Airways when a data center power problem took out their main and backup servers, plus the questions raised about Oval Office security after a Russian commercial photographer was able to enter and take pictures - and conceivably plant bugs - inside the office.
Then comes a raft of incidents involving thefts of computers from the offices of professionals such as doctors, lawyers, accountants and tax advisors. Some of these are 'reportable incidents' in that they involve loss of personal information with the potential for identity fraud on hundreds or thousands of people, begging serious questions about why the information wasn't encrypted.
In the UK, a few politicians and counter-terrorist professionals have been snapped lately by the paparazzi carrying highly confidential paperwork in plain view. Doh!
And finally the incidents involving trusted insiders such as Snowden and Manning simply walking out the door with extremely sensitive information concealed about their person ... or stored in their heads, which thought opens a huge can of worms.
So, now we're busy weaving that little lot and more into the awareness seminars and briefings, using real-world incidents to 'tell the story' about workplace information security. It's all very well for us to blabber on about theoretical risks, but genuine incidents bring our points home with a bang. The awareness value of news reports? Priceless!