Scott Robertson is the latest in a long series of pundits to echo Eric Schmidt and Mark Zuckerberg in proclaiming the death of privacy. Whether you think it’s a loss to be mourned or a chain to cast off joyfully, it’s clear that attitudes to privacy in our personal lives cross over into our professional behaviour.
Today’s 20- to 30-year-olds have grown up with digital communications pervading their lives; they’ve also seen the growth of celebrity, and with it the rise in prurient exposure of every detail of the otherwise private lives of those in the public eye.
This pervasiveness – and, perversely, the very prurience it provokes – seems only to feed a desire to share, and to be seen to share. Not only does sharing sometimes seem more important than doing, or enjoying, it also appears disconnected from consequences.
Something about the proxy nature of internet communications leads people to say things that, whether in content or style, they would be unlikely to say face to face. This is not reserved for the apparent (and illusory) anonymity of internet forums, chatrooms and comment threads, either, but carries through into the much more readily identifiable arenas of Facebook and Twitter.
None of this is news. Commentators far more illustrious than I have written about it at length. So why do I bring it up, and how is it relevant to enterprise IT?
This generation are part of the workforce. They don’t just bring their own devices to work, they bring their attitudes too. In some ways this is a positive; they collaborate better, communicate faster and more often and look outside the organisation for advice and insight.
On the other hand, they have different instincts about disclosure. This doesn’t just mean sharing inappropriate photos on the company intranet; it’s about a fundamental difference in the instinct for confidentiality.
Most company security policies require interpretation to be useful; with their accompanying guidelines, they help staff decide whether or not a given action is appropriate. They’re often written by people for whom “need to know” and “least privilege” are gut instinct as well as trained response.
If in your personal life you tell almost everyone almost everything as a matter of reflex, whether it’s your precise location, your plans for the evening or your relationship status, it’s pretty hard to remember to play secret squirrel when you’re at work. It may not occur to you that where you are, where you’re going and whom you’re talking to might all give precious competitive information away. Nor do you necessarily remember to censor tone and content in comment posts and tweets when referring to your employer, your workmates or your duties.
It’s not just reputation damage from ill-advised commentary and competitive risk from circumstantial data, either. Forgetting that tweets are publicly visible and telling the world that you’re working late in the office on the company X IPO could constitute a regulatory breach. Telling me all about your life through Facebook and Twitter could give me everything I need to hack your bank account, or your company login.
As IT security professionals, and as senior executives, we need to remember this difference in outlook, and incorporate appropriate guidance into our policies. We need to focus on creating an instinct for confidentiality as part of our security awareness training.