I've just returned from Aotearoa, where I have been speaking at events in the Sophos Signature Luncheon series. Now in their fifth year, these Signature Luncheons bring together experts and thought leaders in IT security for frank and open debate about the future of computer security in Australia and New Zealand.
We kick off these events with two or three short, invited presentations over food. Then we facilitate informal discussion under the Chatham House Rule. Simply put, this rule says you can tell other people what was discussed, but you mustn't say which person or organisation said what. The idea of the rule is obvious: to encourage openness and the sharing of information.
When we started the Signature Luncheons, the main topic of interest was how to keep the bad stuff out. Key issues under discussion included developments in anti-virus and anti-spam technology, the unfolding of the arms race against the Bad Guys, and the possible role of government and legislation in dealing with cybercriminals.
We're still concerned with all of these things, but today's security concerns are as much about keeping the good stuff in as about keeping the bad stuff out. So, at the latest New Zealand luncheons, we concentrated on the former. How do you prevent the escape of data which rightly belongs only inside your own network?
Few of us actually intend to lose our laptops, or to have them stolen, or to send out sensitive data to the wrong email address -- yet data escapes in embarrassingly large quantities in all of these ways. Cryptography, of course, is an important tool in preventing this sort of unwilling data leakage.
Nevertheless, encryption is shrouded in myth. Is a longer password invariably more secure, for example? Can all ciphers ultimately be broken? I gave a talk aimed at busting some of these myths -- on the right you can see me attempting to explain why a one-time pad is provably secure, and, ipso facto, invulnerable to a brute force attack.
But willing data leakage, exemplified by the casual attitude which many of us have to social networking, cannot easily be counteracted by technology alone. My fellow presenter in New Zealand was Paul Blowers, a Wellington-based security architect in the law enforcement and intelligence fields. He expounded on the dilemma which many organisations face: how to embrace social networking without giving away the crown jewels.
Social networking can genuinely enhance your business, for instance in recruitment, marketing and customer support. Even law enforcement can benefit: police in Queenstown, in New Zealand's south, celebrated their first Facebook arrest back in January 2009. On the other hand, even the well-meaning use of social networking sites by employees can result in the exposure of information which might better have been kept private.
Should you block social networking sites outright? Having conducted casual audience polls at our Kiwi luncheons over the past few events, it seems as though far fewer organisations think so these days, at least in New Zealand.
In my opinion, this is a sensible move.
Informed employees who make reasonable use of social network sites during their working hours almost certainly pose less risk than ill-informed staff who cannot post at work yet are able to post at will -- including about their work, their employer and their colleagues -- after hours, either from home or from an internet cafe.