Platt Perspective on Business and Technology

Developing and managing productivity tools so as to encourage and promote productivity – 2

Posted in business and convergent technologies, HR and personnel by Timothy Platt on December 6, 2012

This is my second installment in a follow-up series in which I seek to outline core issues related to personal use of business-provided and work-supportive information technology. I began this in Part 1 by noting enough of the history of this challenge to indicate that it is at least as old an issue for businesses and workplaces as information technology itself. Private and personal use of business resources per se by employees makes the basic underlying issue even older. But my goal here is not to look into personal use of penny blacks by mid-19th century British clerks (the penny black was the first mass-produced, adhesive backed postage stamp, first released on May 1, 1840.) My goal here is to discuss this in terms of the new and still rapidly emerging capabilities and vulnerabilities of 21st century information technology, and particularly as this involves:

• Web 2.0 and the advent of the interactive online experience,
• Social media and
• The increasingly ubiquitous spread of handheld online interfaces with smart phones, tablet computers and more,
• And with the “bring your own technology” trend in which employees bring their own and use it and in ways that blur the time and space distinctions between personal and private, and professional and business.
• And that is why I include this series in my Ubiquitous Computing and Communications – everywhere all the time directory as well as in HR and Personnel.

And I begin this by proposing a basic and even axiomatic assumption that all of my experience has served to validate, and that I am confident is consistent with the experience of others too:

• The more flexible, powerful, immediately connective and ubiquitous an information technology is, the more subject it is for both creating new sources of value, and new sources of risk.
• And the more likely it is that significant measures of that new risk will come from patterns and practices of personal use.

What I write of here in many respects mirrors the arms race of the cold war, though I add this same view applies equally to the race between legitimate systems and resource users, and those who would block them or compromise them with computer viruses, phishing attacks and the like. The important point in that comment is not to suggest parallels between either business systems or employee users and black hat hackers. It is to note how the issues raised here are not and cannot be resolved definitively, and once and for all. I stress this because the marketing messages of information security software providers and systems security vendors often present their offerings as definitive – even if they do tell you that you need to subscribe to their update services.

Sources of opportunity and corresponding sources of risk will continue to evolve and coevolve and very rapidly. So any viable approach for managing this cannot be found in some single definitive technology-based solution. It has to be grounded in a more comprehensive understanding of the current context that Information Technology functions in, and it has to continually seek to anticipate new and emerging threats as well as new sources of positive opportunity. And one of the most important tools in this is to continually assess where resources and allowed usage practices encourage or limit what users will try to do that might cause or increase systems risk.

To take this out of the abstract I would cite two working examples: one long-standing and largely addressed and the other newer and still emerging: email system vulnerabilities and the still rapidly evolving if seemingly ubiquitous challenge of bring your own technology.

Email system vulnerabilities as an historic but still relevant example: I want to begin this part of the discussion by repeating at least briefly, an account of a specific event that I have cited in earlier postings, but that offers crucially important insight for this discussion too. I was working as webmaster at a large nonprofit a number of years ago, and as a member of their Information Technology department. So I frequently found myself talking with and working with people from other services in that organization and from other lines on the table of organization. Since I worked with computers for a living, I was often told about problems, issues or events that were computer related, and even if those people had taken them to the IT department help desk for actual resolution.

A very bright and personable secretary came onboard to work at one of the departments I worked with a lot, for tasks involving their online content and services. And as a part of her onboarding she was set up with a new work email account and assigned a newly refurbished computer. And she opened her email and started responding to the new employee and getting to meet you emails that she started receiving. And about an hour after she started work on her day one at her new job the president and CEO of the nonprofit walked over to her cubicle to ask her why she had just sent him a virus – in this case it was the love letter computer worm. And two details to this jumped out at me:

• This organization had been plagued by ongoing recurrences of this computer worm and no matter how quickly and efficiently it was cleaned out of infected computers, and
• This was a new hire who was using a computer that had been updated for her – with a complete hard drive reformatting, deleting anything already on it and an operating system and work-software reinstallation, security software included. So unless this computer was set up for this new hire with contaminated software, which seemed unlikely, there was no love letter worm on it when she first started it up. And the emails she had received were very few in number and were mostly generic messages from sources such as Human Resources.

It was always possible one of those emails she did receive was carrying this worm as an unintended addition, but it crossed my mind that there might be a second reason for this to have happened – and particularly when conversations with the help desk confirmed that it was common for newly set up computer users to get infected and essentially immediately. It turned out that the email system server was infected with a worm that caused it to generate and send an infected email to new email accounts – and the email this new secretary saw appeared to be coming from the CEO, and all she did was to reply. That is how she actually came to send him this executable package, reinfecting his computer – again.

Computer viruses and worms have been around essentially as long as there have been personal computers for them to infect. They have continued to evolve in step with efforts to identify and block them before they can do damage and even before they can get into a targeted computer. This represents a next level attack beyond that of simple spread through distribution of emails with infecting attachments. Here, a software package was built and sent out that was to remain inactive and unnoticeable on a server until activated, and that would not cause any noticeable changes in that infected machine, and whose function was to spread a more overtly malicious package to other computers in the network when specific criteria to go active occurred – but only then. This arms race has continued from there and this particular software combination is anything but new now.

• What can an Information Technology or Risk Management professional do to limit this type of event, and both for its likelihood of occurrence and for the level of damage from it if it does?
• Employee training and from day one is obviously important, with for example: guidelines on opening attachments from unknown sources, and basic training as to what to look out for in the subject lines and bodies of emails received.
• But this was a new employee who had not been on her new job long enough to have had any particular training opportunities there. Training per se has to be seen as a second line of defense with systems and processes in place that would make it harder for malware, in this case to get through the defenses.
• And this would include setting up and monitoring that email server so as to more rapidly catch if it was infected in some way.
• And it would include setting up the email system to check every in-house email for attached executables, and with automatic backtracking so the sending computer could be reviewed and cleaned of infecting malware if need be.
• And in an ideal world, user interfaces for employee software would be designed to encourage safe practices use and to make problematical behavior just a little harder. (In this case that might mean warning the recipient of an email if it has an executable software package attached, and that it might be infected with malware. So they should call or otherwise check with the sender before opening it and certainly if they are not expecting an email with a functioning program or app included.)

I will add that similar malware packages can be hidden in Microsoft Word files as macros, and in packages designed to travel through infected flash drives, and by numerous other routes. So even this basic form of attack and source of threat and risk continues to grow and evolve.

At over 1500 words at this point, I am going to stop this discussion for now. I will continue it in my next installment where I will at least begin a discussion of bring your own technology as it enters this discussion. And in anticipation of that I cite an earlier series that I posted here: Navigating the Bring Your Own Tech Puzzle (see Ubiquitous Computing and Communications – everywhere all the time, postings 141 and loosely following for Parts 1-4.) Meanwhile, you can find this and related postings at HR and Personnel. I also include this in Ubiquitous Computing and Communications – everywhere all the time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: