Monday, I attended an Ernst & Young media luncheon presenting the company's 2011 global information security survey. You can read my writeup here of the survey's findings and some of E&Y's suggestions for how to plug holes in security practices. There's a lot of good stuff in there and it was a really engaging presentation.
However, I came away from it with this thought: I simply don't think we care about data security as much as we say we do. This isn't meant to be a lecture — by "we," I don't mean "insurance technology executives," because I'm (obviously) not one. I mean "we," as in the people who participate in this technology- and information-based world. But some of us do (or will) become technology executives, and therein lies the problem.
Jose Granado and Chip Tsantes, the E&Y principals who presented the research, spent much of the first half of the luncheon talking about how companies were missing the boat on information security and the current preferred tactics for fighting data leakage were inadequate. They talked about how, often, companies weren't even aware there was a breach. Then, they said that 49% of the 1,700 firms surveyed believed their information security function was meeting the needs of their organization.
I raised my hand and asked, "In your opinion, are they right? That is, do half of the corporations on Earth have adequate data security functions?"
They looked at each other and Granado said, "Well… This is self-reported." You can read between the lines.
In the second half of the presentation, I understood why information security experts must think we're nuts. In introducing a part of the presentation on the unique security risks of tablets, Tsantes said, "A CEO could buy 20 of these for the board and demand every board packet be put on it immediately, with no warning" — that is, they don't care about the potential risk, they just want the capability.
I asked what makes tablets and smartphones especially vulnerable, and Tsantes explained, "These [operating systems] are made for sharing… It's difficult to make sure it's not sharing something that it shouldn't." Why are these OSes keyed towards sharing? Because social media is becoming the default communication mechanism of our time, and it often leads to unintended data leaks. (Haven't we all seen, in our Twitter feeds, someone who thinks they're texting a friend, but in reality is broadcasting that thought to the entire world?) "Once something is up there, it's not coming back," Tsantes warned.
Mobile device proliferation, social networking, cloud computing — all these great advances in IT over the past decade have introduced new, easily exploitable security risks. Deep down, I think we all know the best practices for preventing them. But how many of us follow them? Do we all have passwords longer than 10 characters? Are we careful not to expose too much on social media? Have you vetted the security of the cloud server housing your files?
Maybe those of you reading this do, because you know the risks associated with these technologies. But more people don't, because of the expedience of not following these practices. Who wants to remember 15 different dozen-character passwords? Why can't I just use the free cloud storage? And, the people establishing these habits are going to work at the insurance companies of tomorrow, and they're going to have an expectation that they're going to be able to access company systems from their personal tablet, with its socially optimized operating system, while storing the files they need to work with in the cloud. As Gerald Shields, the former CIO of Aflac who's now working as a consultant for R.E. Nolan, told me in an interview this fall,
I anticipate that in five years, most companies will allow employees to bring their own devices. You are getting these digital natives coming into your workforce. Some people want to ignore it. But those people are going to find ways to do it on their personal device, whether the company sanctions it or not. Figure out how they work in your environment, what mobile device management software you want to use, and embrace it.
Of course, as Tsantes said Monday, "You should just assume every device someone has is compromised and adjust for that." It might not seem like the best decision, then to allow people to access your network from them. But with an eye towards the inevitability of it happening, he suggests that companies teach people how to be vigilant in their digital lives and hopefully begin a chain reaction that will carry on to their friends and family (especially children) and result, down the road, in a more vigilant population.
That's probably a good start. Someone has to begin promoting data security as a value in people's personal lives in order for it to be valued in the professional world. Because right now, most people just don't care about their risk level.