When security leaks matter

Laptop secure but not

There’s lots of news about the latest release of classified documents on Wikileaks. If you want to have a peek, The Guardian has a great visualisation to get started.

I had a mooch. Everything I scanned through was thoroughly boring. As is the case with most information, even the classified stuff.

Over the past 10 years, I’ve worked with numerous government organisations. When discussing intranets, collaborative sites and knowledge management systems, one of the most frequent concerns is how to secure access to information and prevent the wrong eyes from seeing it. It is no small irony that the first ever monetary fines applied by the Information Commissioner’s Office (ICO) this month were for breaches that had nothing to do with networks.

The first was a £100,000 fine against Hertfordshire County Council for two incidents of faxing highly sensitive personal information to the wrong people. The second was a £60,000 fine against an employment services company for the loss of a laptop.

Here’s another example. A fair few years ago, I was in Luxembourg to present at an EU event. The night before the meeting I was in my hotel room when an envelope appeared under the door. Assuming it was details about the event, I opened it and pulled out the documents. The first hint that the documents might not be to do with the event was seeing Restricted stamped across the top of the first page. The second indication was, when scanning the content, it became apparent the documents were something to do with nuclear weapons facilities across Europe. By that point, I looked at the front of the envelope to discover that it wasn’t addressed to Miss S Richardson (i.e. me) but was instead addressed to <insert very senior military rank I can’t remember> Richardson. A rather terse conversation took place in the hotel reception as the documents were forwarded to their rightful recipient.

All three examples above were security breaches due to stupid human error. None involved networks or bypassing security systems. But only one required legal intervention – the faxing of content to the wrong people that was both legally confidential and highly sensitive.

And that’s the rub. Most security leaks don’t matter. A few years ago, some idiot in the UK tax office HMRC downloaded oodles of personal details to a CD and then lost it in the post. If there has been a bout of serious identity theft as a result, I haven’t heard about it. Ditto for a more recent breach that managed to send addresses and bank details to the wrong people. More people have been affected by a cock-up in the calculation of tax due to incorrect data than from identity theft due to lost data.

Most of the content on Wikileaks is embarassing to its targets (usually governments and/or large corporations) rather than dangerous. Yes there are exceptions, such as the failure to redact personally incriminating information from documents that could put lives in danger. But they are the exception, rather than the norm we tend to assume when documents are classified as confidential.

One of the recommendations I give to clients looking to improve the use and value of their intranets is to devalue information. Make it easier to access. The confidentiality of most content is over-rated. It’s importance and usefulness to other people is often under-rated.

For most organisations, content falls into one of three categories:

  • Legal – fines and prison (though that is rare) may result from failing to protect legal documents
  • Sensitive – contains information that could put at risk or be damaging to an individual or organisation
  • Everything else

There’s no arguing over legal documents. No prizes for guessing at least most content falls (or should) under Everything Else. And sensitive…whilst some is easily justified (such as research into a new prototype that you wouldn’t want your competitors knowing about) an awful lot is considered sensitive purely to avoid embarrassment or conflict. Sometimes people should question verbalising their opinions, let alone putting them in writing… And if you work in government, for goodness sake don’t save it on your laptop!

One closing quote whilst on the subject of securing information. Whilst it refers to anonymity, it equally applies to trying to hide information from public view, which too often appears to be the reason for confidential classifications: (apologies, I can’t recall the source)

Providing a level of anonymity is great for play but prevents accountability

References and examples:

Information is still sticky

Just over four years ago, I wrote a post called Sticky Information. It’s a topic I rarely see discussed but it can have a big influence on our decisions and actions. If we ‘like’ a piece of information, we will cling on to it often in the face of any attempts to alter that state. Equally, information that doesn’t fit our view quickly slips into obscurity. We do not treat all information equally.

The Nielson Company, publisher of web trends, has come a cropper with a statistic for iPad downloads. Their original article claimed one third of iPad owners have never downloaded an app. A startlingly sticky statistic that was promptly regurgitated on many news sites. The Nielson Company has since updated the article and corrected the number from 32% to 9%, a pretty big reduction. But news sites don’t tend to hang around a story for long. I wonder how many will correct their articles or will someone come across and use the incorrect data. Unlikely to be serious consequences for this one but it shows the importance of checking and re-checking original sources when relying statistics…

References:

PerformancePoint – A brief history

A few years ago, I published an infographic showing the history of SharePoint, to help decypher the different twists, turns and acquisitions that influenced what went into (and out of) SharePoint. (May get round to doing an update on that sometime…)

A related product has also had a few twists and turns of its own – PerformancePoint. The clue is in the name, it’s in the same family of products as SharePoint and originally targeted performance management solutions. Here’s its life story so far…

PerformancePoint History

Back in 2001, business intelligence and performance management were quite hot topics but became overshadowed by the rise of the portal. An early market leader was ProClarity and most people thought Microsoft would acquire it. Instead they purchased Data Analyzer, owned by a ProClarity partner.In the same year, Microsoft acquired Great Plains, a provider of business applications to small and medium-sized organisations. Included with the acquisition was FRx Forecaster which had been acquired by Great Plains the previous year.

Data Analyzer remained available as a desktop product for a while before disappearing. Some of the technology merged into what would become Microsoft’s first performance management server product: Business Scorecard Manager 2005 (BSM – naturally, not to be confused with the British School of Motoring if you’re reading this in the UK 🙂 )

BSM enabled you to define key performance indicators (KPIs) and then create scorecards and dashboards to monitor and analyse performance against targets. The product included web parts that could display those KPIs, scorecards and dashboards on a SharePoint site. It even had a little bit of Visio integration producing strategy maps (a key component of an effective business scorecard).  BSM was a classic v1 product: difficult to install, basic capabilities and limited adoption by organisations.

In 2006, Microsoft finally acquired the company it should have bought in the first place – ProClarity, which had a desktop and server product. The products were available standalone and some of the technology integrated into the replacement for BSM – PerformancePoint Server 2007 (PPS). Also integrated into PPS was a new forecasting capability based on the FRx Forecaster

PPS was effectively two products – a Monitoring Server and a Planning Server. The Monitoring Server included a revamped Dashboard Designer with improvements to the core monitoring and analysis capabilities – KPIs, reports, scorecards and dashboards. It also leveraged corresponding web parts available in SharePoint Server 2007 Enterprise Edition. The Planning Server included a new Planning Business Modeler that enabled multiple data sources to be mapped and used to plan, budget and forecast expected performance. The Planning Server proved particularly problematic to configure and use…

In 2009, Microsoft announced that PerformancePoint Server was being discontinued. The Monitoring Server elements were to be merged into future releases of SharePoint (and anyone licensed for SharePoint Server 2007 Enterprise Edition was immediately given access to PerformancePoint Server 2007 as part of that license). The source code for the Planning Server elements was released under restricted license as a Financial Planning Accelerator, ending its life within Microsoft. The FRx technology returned to the Dynamics product range.

In 2010, SharePoint Server 2010 was released and the Enterprise Edition includes the new PerformancePoint Service complete with dashboard and scorecarding capabilities but no planning options. This year also saw the release of Management Reporter which offers both monitoring and planning capabilities with direct integration into the various Dynamics products. And a new BI tool was released – PowerPivot for Excel, an add-in that enables you to create pivot tables and visualisations based on very large data sets. A trend worth keeping an eye on…

Going forward, Microsoft has business intelligence and performance management solutions in two camps: the Office and SharePoint platform that can provide a front-end to business applications and data sources of all shapes and sizes; and the Dynamics Product range that provides end-to-end business applications for small- to medium-sized organisations (and divisions within larger organisations). Dynamics can also leverage SharePoint as its front-end, just like any other business application.

Microsoft Business Intelligence and Performance Management tools

SQL Server continues to provide the core foundation for all data-driven solutions – offering its own database capabilities as well as warehousing and integration with other ODBC-compliant data sources plus the reporting and analysis services on which BI solutions are built. SharePoint provides the web front-end for information and data-driven solutions amongst other things, like search, collaboration etc… Office continues to provide desktop tools as well as web-based versions that integrate with SharePoint. Excel now has its sidekick PowerPivot (wish they’d named that one PivotPoint…), Visio continues to be, well, Visio – one of the few acquisitions to keep its original name intact. And also worth a mention are Bing Maps and MapPoint, which provide location-specific visualisations. I originally wrote that MapPoint was discontinued. But did a search to check when it stopped being available only to find it alive and well as MapPoint 2010… hey ho!

You’d be right to think this performance management roadmap has looked a little rocky. What’s interesting to note is there is a Corporate Performance Management team within the Dynamics group, whilst Business Intelligence messaging barely mentions it, focusing instead on subsets of performance management – reporting and analysis.

If you are a performance management purist, you will likely be disappointed with the capabilities offered by PerformancePoint, much in the same way a taxonomy purist will gripe at the limitations within ManagedMetadata. Both are services within SharePoint 2010 that help manage and visualise information – they are part of a platform as opposed to specialist niche solutions that will typically offer a more comprehensive feature set. But if you want to start improving how everyone interacts with information and data as part of daily decisions and activities, a platform is a pretty good place to begin, requiring less skills or resources to get started.

Final note: All the above comments are based on my own opinions and observations. They do not represent any Microsoft official statements from the past, present or future 🙂 Have to mention on this sort of post as it covers the period of time I worked at Microsoft.

References

Related blog posts

The risk in eliminating risk

Choice

— Update: July 2013 —

Earlier this month there was a news article covering the deaths of two teenagers in a car accident. The cause? It is believed that they were driving dangerously fast in order to get home before a curfew. Missing the deadline would have led to a £100 fine. A lot of money for most students. The car had been fitted (optionally) with a tracking device intended to encourage safer driving. An ill-conceived idea leading to tragic unintended consequences: Insurance curfew blamed for fatal teenage car crash.

Whilst the theory was sound, life can be messy. Would anybody prefer a teenage driver to risk speeding to beat a curfew or risk staying put in a vulnerable location to avoid a fine or driving ban? Legislation to eliminate one risk created another, possibly worse, in its place.

— Original post: September 2010 —

Heard on the radio this morning and currently one of the headlines on the BBC News web site: New driver restrictions would save lives:

Newly qualified young drivers should be banned from night-time motoring and carrying passengers of a similar age, Cardiff University researchers say… “graduated driver licensing” for those aged 17-24 could save more than 200 lives and result in 1,700 fewer serious injuries each year.

The research in question is road accident data from 2000 to 2007 that suggests one in five new drivers crashes within the first six months. So the plan is to try and eliminate the range of conditions that led to the accidents? That’s just delaying taking responsibility for your actions.

Rather than attempting to ban youngsters from certain driving conditions, which would be both expensive and impossible to police, I’ve a better suggestion – advise parents to not pay for driving lessons or buy cars for their children. From my own informal observations, people who have to earn and save money to pay for their own driving lessons and to buy their own car (and then save for another six months to afford the insurance) will treat it with a lot more respect and will therefore be less likely to crash (the insurance premium alone will be a sufficient deterrent for most).

Trying to eliminate risk through legislation is, at best, an inefficient approach. And at worst, can make matters worse – the law of unintended consequences is particularly active in systems involving people. Cue link to information systems 🙂

When deploying intranets and collaborative web sites, the issue of security and permissions is always a challenge. Many organisations want to lock down access to everything, i.e. you can only access documents you have explicit permission to use. It’s a risk avoidance strategy. Research could probably justify it by showing you that one in five new employees leak data during their first six months… The more effective solution for that scenario would be to improve your recruitment process.

Whilst some information does need to be tightly controlled – particularly anything of a legal and/or sensitive nature involving personal information – it is usually a small percentage of an information system. Manage that percentage as an exception rather than the rule and don’t apply rigid security by default. In attempting to eliminate the risk of someone seeing something they shouldn’t you risk making it difficult for everyone to see everything they need. That is not a good outcome for a system that is supposed to improve productivity and collaboration.

Web 3.0 and the Semantic Web

I’ve got mixed feelings about the viability of the semantic web but this video is a great compilation of the challenges facing information discovery and possible options. It’s become way easier to create information than to manage it…

Social Media judges the Olympics

Techcrunch has an interesting article: How We Hate NBC’s Olympic Coverage: A Statistical Breakdown.

NBC Olympics Sentiment Analysis

The statistics are coming from a couple of different ‘Sentiment Analysis’ services that track what people are saying about brands online. Twitter Sentiment tracks positive and negative comments on Twitter, updated in real-time (image shown above). Another service, Crimson Hexagon, went further to breakdown into specific categories, discovering only 15% were happily watching NBC’s Winter Olympics coverage (more details are provided in the TechCrunch article) whilst 85% were complaining.

What’s interesting is how easy it has been for these services to gather the data. Crimson Hexagon analysed over 20,000 tweets and 5,700 blog posts and forum comments. Twitter Sentiment is continually updating in real-time, as the tweets are posted. When I grabbed the screenshot above, over 2,500 tweets had been automatically categorised as positive or negative.

The analysis demonstrates just how easy it is to discover what people really think thanks to the Internet. People who take the time to tweet and write blog posts are more likely to be giving raw opinions than a selected audience targeted to respond to a survey. For sure we tend to be more compelled to write when we have something bad to say, so results are almost always going to skew towards the negative. But they are readily available, often for free or little cost, and offer an insight into how products and services could be improved. Sentiment analysis shows how businesses can benefit from getting involved in social media, even if only to listen.

References:

Related posts:

Analyse and Act on Social Media Trends

How to monitor social media conversations, identify trends and act on them came up in a conversation yesterday regarding the role of internal communications managers. As serendipity would have it, just such a solution cropped up via Google Reader, thanks to Mark Miller (@eusp) over on his End User SharePoint site.

Microsoft has a proof of concept built on SharePoint – Looking Glass (must stress: It’s a proof of concept (PoC), no mention of an actual working solution yet and Microsoft PoCs often have a dash of smoke and mirrors about them):

But wafting the smoke aside and stepping around the mirrors, the concept is sound. There are plenty of tools on the Internet for visualising trends from social media sites like Twitter and Facebook. (Twistori is a pet favourite of mine for simply observing the world in a conversation) But few go beyond visual analytics. This video explores how to integrate ways that enable you to act on the trends uncovered, what happens next. Interesting stuff. Bet the Microsoft CRM team just love it!… 😉

Our connected future

When you reach the giga, peta, and exa orders of quantities, strange new powers emerge. You can do things at these scales that would have been impossible before…

Kevin Kelly has talked about the coming age of data, oodles of the stuff thanks to the Internet and what we’re doing with it. Here’s a nice video visualising how all this data and the devices connecting to it will define the future, albeit at the scale of trillions rather than zillions…

…and the makers of the video have more details on their web site – MAYA Design – including a research paper for download (PDF).

Related posts: Tim O’Reilly’s talk about The Internet Paradigm and Kevin Kelly’s Zillionics Change Perspective