Personal Privacy and Information Security in a Constantly Connected World
In the book Nineteen Eighty-Four (published in 1949), author George Orwell wrote of a future dystopia in which an all-seeing force tracks the movements of all citizens in a mythical country called Oceania. Surely, no reader of this article believes that Orwell's vision of "Big Brother" has not become, at least, technologically possible in America today. The technology is certainly in place to track the day-to-day, hour-to-hour, or even minute-to-minute activities of most knowledge workers.
Our electronic fingerprints are everywhere, from E-ZPass toll booths, to credit card readers, to bank ATMs, to AOL/Gmail/Hotmail messaging, to cell towers, to Facebook and other social networking sites, to ... you fill in the blank. Anyone who believes that he or she can disguise or camouflage their electronic existence is seriously delusional. Anyone who believes he or she can maintain multiple electronic personas -- a work persona, a play persona, a parental persona, a political persona, etc. -- needs to read Internet Protocols for Dummies.
Most IT shops instinctively turn discussions about information security into debates about network engineering, spawning endless conversations regarding future technology investments that will help secure the transport layer, the network layer, the data link layer, etc.. IT groups instinctively avoid a discussion of the social engineering and social discipline required to truly protect a company's information assets.
Let's take a simple analogy that everyone can relate to. I personally have no desire to share my annual W2 forms with my college-aged children. They are already getting enough of my money. The last thing I want them to realize is the remaining amount that they aren't getting. The technology solution to this problem would be to reserve a room in my house for my confidential W2 files, secure it with retinal eye scan technology, install laser intruder alarms in the room to thwart unwanted visitors, and finally require finger print scans to open the file itself. The simpler solution is that I just put the W2 forms in a place where they can't get them. Embargo all access -- it's worked so far.
The same thing is true in private industry. Go talk to a hedge fund company or an investment firm that caters to "high wealth" individuals. Undoubtedly, these companies will have sophisticated technology to secure their IT assets, but more importantly, all employees will realize that their livelihood and personal job security is critically dependent upon avoiding the leakage of sensitive information. When USB ports are disabled on their PCs, they don't complain. When they are told that they can't have remote access to company systems, they don't complain. They "get it": An inadvertent security lapse could put them completely out of business and out of their jobs.
Many high-tech companies also "get it." When their executives travel overseas, they leave their personal PCs and BlackBerrys behind and employ loaner devices that carry only the information required to conduct the activities scheduled for that particular trip. Their intellectual property is too valuable to be transported casually outside the confines of their company's labs and headquarters.