Only as secure as you make it

I get why corporations love control. I do, really. The idea that some mere employee, someone whose livelihood depends upon your beneficence, holding the keys to your kingdom in their hands with no external controls? Quick, someone fetch the enterprise fainting couch!

For the most part, enterprises have started to see the value in giving their employees more freedom in terms of things like flex time or BYOD policies. Requiring everyone to use Internet Explorer 6 (for example) only led to a) increased insecurity for those who refused to use inferior products and had to develop workarounds and b) productivity slowdowns for those not able or too lazy to circumvent the system.

But again, that pesky thing where companies refuse to trust their employees rears its ugly head, and now the answer is apparently Snapchat. For enterprise. No, really.

Again, I understand the basic impetus behind this line of thinking, but it fails on two levels, both of them human. One: If you make it in the employee’s best interest to not share vital strategic or business information with a competitor, that employee (provided he/she is acting rationally) will not do so. This worry is, at heart, an admission that a company is not providing its employees with the proper incentive to act against the company.

One (sane) angle of approach would be to properly incentivize your employees, but increasing reliance on and faith in technology over humans (Ibid.) has rendered this a nonstarter. That very reliance, however, is also this policy’s downfall.

The article provides three strategies:

  1. Time bombs (Snapchat)
  2. Barriers (geofencing)
  3. Biometrics

Let’s get through them quickly. As any teenager (or Google search will tell you, Snapchat’s ability to have your photos deleted only works as long as the other party wants them to. Otherwise, one quick screenshot (or app or API call or any of a dozen alternatives) is all it takes to have that naked selfie float around Reddit forever.

So Option 1 works as long as every other advantage that computers offer (universal access, instantaneous/error-free/non-destructive copying, etc.) goes away. Which seems unlikely.

Geofencing! IT administrators can know EXACTLY where your device is and limit your access there. Of course, if you can look at it somewhere, you can also copy it. Because, again, computers. And if you can copy it, you can convert it (either automatically or manually — and though it may take more time, I doubt that anyone who’s letting/helping documents out the door is going to be deterred by a little hassle). And then your fancy geofencing looks a lot more like the actual US-Mexico border fence than you probably intended.

Biometrics. Exact same arguments as above. Then you get hit by the double whammy that implementing these types of policies tends to make the end users (up and down the chain) more lax about security, because they’re putting their faith in the technologies — which have hidden dependencies and assumptions that most people don’t bother to think through, and ultimately wind up being their downfall.

Interestingly, the second and third policies require the utmost amount of trust in the employee (‘You can look at this only in these locations except please don’t then share it’) that the first one explicitly tries to limit ("You can only view this for X amount of time before it self-destructs). And you're employing the most fantastic way of breeding resentment (and therefore increasing the likelihood of the leaks you're trying to prevent) — show someone you don’t trust them in the slightest.

The quickest, easiest, cheapest and most secure form of information control is always going to be hiring, trusting and training the right people. It seems like a lot of work up front, but the weakest link in any chain of security is always the human element. And the smarter/more alert those people are to the risks, the easier it is for them to mitigate tricky situations. There’s no app for that.