If you want to protect your intellectual property, worry less about online security controls and more about loyalty. If your employees care, they are less likely to share with outsiders.
In the past week, Microsoft has changed its standard terms of service agreements. As reported by The Verge:
Microsoft’s revised policy allows the company to access and display user content across all of its cloud properties. Whereas the previous version of the TOS granted Microsoft the right to appropriate user content “solely to the extent necessary to provide the service,” the terms now state that this content can be used to “provide, protect and improve Microsoft products and services.”
Commentors on the article noted that this was a somewhat hypocritical move. When Google made a similar change to their terms of service just 6 months ago, Microsoft took out adverts in major newspapers to spread a little FUD*. Covered by the IdeaLab at the time, Microsoft felt the need to advise everyone:
Google is in the midst of making some unpopular changes to some of their most popular products. Those changes, cloaked in language like “transparency,” “simplicity,” and “consistency,” are really about one thing: making it easier for Google to connect the dots between everything you search, send, say or stream while using one of their services.
But, the way they’re doing it is making it harder for you to maintain control of your personal information. Why are they so interested in doing this that they would risk this kind of backlash? One logical point: Every data point they collect and connect to you increases how valuable you are to an advertiser.
Hmmm….
Hypocracy aside, and pity the Microsoftie that has to keep a straight face explaining the about-turn, the changes in terms of service are no surprise. Enabling content to be integrated across services does offer the potential to improve the services and yes, also the potential to earn more money from advertising. A necessary factor when offering ‘free’ services to consumers. Somebody always pays.
Dropbox is a popular online file sharing tool and has also come in for criticism. A recent article by Varonis highlighted that Dropbox holds the keys to encrypt and decrypt to your data on their servers (their emphasis, not mine). They have to, both for feature reasons – the file sharing element – and for legal reasons. What does this mean?
This means that a Dropbox employee could theoretically view (or steal) your data
O! M! G!*
Before you start worrrying abut Dropbox’s employees, look closer to home… A recent study by the Ponemon Institute found: (my comments in brackets…)
- 90% of organisations in the study had experienced leakage or loss of sensitive or confidential documents over the past 12 months
- 71% of respondents say that controlling sensitive or confidential documents is more difficult than controlling records in databases (surprised it wasn’t higher than that)
- 70% of respondents say that employees, contractor or business partners have access to sensitive or confidential documents even when access is not a job or role-related requirement
- 63% of respondents do not believe they are effective at assigning privilege (permissions) to [manage] access to sensitive or confidential documents
Hmmm….
So to summarise, most organisations do not have adequate controls to manage their intellectual property when it is in document form, regardless of where it is stored. If that’s the case, accept a simple fact. If a document exists, at some point you may lose control of it. The terms of service for online storage are the least of your worries.
So what’s a business to do?
Whilst I would not suggest throwing out the security controls and it sounds like some organisations could do with improving them, I would encourage putting more effort (and investment) into making sure employees care. People who feel loyal to a cause will protect that cause.
Over this last weekend, Lewis Hamilton grumpily shared an Instagram picture of the McLaren Formula 1 team telemetry sheet, showing his and his team mate Jensen Button’s performance during qualifying. Reported today in The Times:
Christian Horner, the Red Bull team principal, could not contain his mirth as he claimed his engineers were poring over data that is usually restricted only to McLaren’s drivers and race engineers. Hamilton deleted the tweet but it was too late.
Oops…
What security system could have prevented that? A photo of a print-out shared via Twitter by someone paid an awful lot of money to win races in part based on the intellectual property held in said photo. But who was having a particularly crappy weekend with the team, again… Naturally the PR machine is now in full throttle (pun intended) and McLaren claims the data loss is no big deal.
How employees feel about the company will have a far bigger influence on maintaining control of your data than any security system, digital or physical. The ‘vibe’ of the office matters more than most people realise, for so many different reasons – productivity gains, collaborative working, knowledge sharing and yes, protecting intellectual property from prying eyes.
References
- Updated service agreement allows Microsoft to integrate content across cloud services – The Verge, September 2012
- Microsoft attacks Google Privacy Policy with ads – TMC IdeaLab, March 2012
- Marco Arment on Dropbox: Don’t use it for anything valuable – Varonis, July 2012
- What Facebook Knows – MIT Technology Review, July 2012
- 2012 Confidential Documents at Risk Study – The Ponemon Institute, August 2012
- Lewis Hamilton leaves a trail of debris after a Tweet too far – The Times, September 2012 (sub req’d)
- Lewis Hamilton Tweet has not caused us much harm [says] McLaren – BBC News, September 2012
* FUD = Fear, Uncertainty and Doubt. What competitors like to create about rivals in customers’ minds
* OMG = Oh My God/Goodness, depending on your religious slant, often delivered with a twist of sarcasm.
Joining Dots 