Okay, maybe security shaming is not the proper way to describe security awareness training. No matter how its labeled, it’s working. We don’t receive emails with employee or patient lists attached. We aren’t given access to a Box account where we can see all company information instead of only the one folder we should see.
More and more we recognize the need to share information in a secure manner. Nobody wants to be the one who accidently released a million names and social security numbers. Security awareness training, a standard ritual now at most companies, is effective at helping to prevent accidental releases, but ensuring that information is securely shared could be a lot easier.
Its already commonplace to ask Siri and Alexa to answer a question, and they do quite accurately. Cars can park autonomously. Rockets can blast off and come right back down to a standing position. Why can’t all software applications enforce secure sharing of information?
Applications are designed to be as easy to use as possible for the intended purpose; find contact information in the CRM, enter transactions in the accounting system, find a document in the document management system. At the same time, the information needs to be protected; don’t allow all users to export the entire list of contacts, don’t allow users to send financial statements to just any email address, and don’t allow users to download all of the R&D documents to a thumb drive.
Security in most applications is good at preventing access to information based on role or some other factor. But some applications are not good at placing control on the information once it is accessible. Information generally should not be allowed to be emailed as an attachment, however should be a secure link back to documents or information. The link should expire at some predetermined date. The application shouldn’t allow batch downloads of documents without some administrative oversight and possibly require all data to be encrypted if downloaded.
The developers of applications can achieve the ease of use they want and also have controls where it makes sense. Nobody wants to be shamed for the release of sensitive information, especially not the creators or administrators of the applications you use every day. Take a look around your applications to see if the controls exist and if they are appropriately applied and avoid being shamed.