January 28th passed mostly in silence
Why do I mentioned January 28th? It was Data Privacy Day. So, what‘s the big deal?
Data Privacy Day is an annual international event to remind everyone to be diligent about online privacy and online information. The National Cyber Security Alliance led efforts in the USA to call attention to the event. Part of the message is to “own your online presence.”
So, here's the deal.
Part of owning your online presence is understanding what information about you is available to others. Why does that matter?
A recent investigative report aired on a local TV station. “Bogus background check could be costing you money” revealed how incorrect cyber information can hurt you. In this case a gentleman had his insurance rates go up dramatically because a company that collects credit records and provides them to insurance companies supplied bad data.
Yes, I know this is a case of garbage in garbage out, but whose garbage is it?
In this case the negative factors in the “Bogus background check,” came from the victim’s son who had the same first and last names, but we was “the second.” The son’s history was erroneously mixed in with the father’s record. According to the news story the company supplying the report responded that they do rigorous checks to maintain quality; but they didn’t in what they characterized was a “rare case.” The algorithms did not perform as intended.
What was the advice of the investigative reporter? Check the information that is available for accuracy. Sounds like “own you online presence.” I’ll be sure to add this story and this advice to people come next Data Privacy Day (January 28, 2019). Maybe more people will take notice and think more about their online presence.
The investigative news story mentioned the offending companies, but I have left them off. These kinds of mistakes are detrimental to corporate reputation. Sure, it was inadvertent, but was the company paying enough attention to the collection and use of data? What were they doing to avoid unintended consequences? One of the companies mentioned had a hugely embarrassing incident recently. It was credited to lax policy enforcement. What about you and your company?
I am proud to say that Marquette University is putting together a Symposium on the Ethics of Big Data III. This is the third in a series of meetings on privacy, data collection, and the consequences of Big Data technology. This year we will meet on April 27 in a discussion that is open to businesses, academics, students, and the public. Folks at Northwestern Mutual are demonstrating their recognition of the importance by joining us to sponsor and host the meeting at their new tower in downtown Milwaukee. See https://www.marquette.edu/ethics-of-big-data for information. Other companies have regularly made an appearance and supported this annual event.
Help make a difference; be cyber security and privacy aware. (See https://staysafeonline.org/data-privacy-day/about/ for information about Data Privacy Day and https://www.tmj4.com/news/i-team/bogus-background-check-could-be-costing-you-money to see the full story about the bogus background check.)
Cyber Security Awareness Requires Leadership
Cyber security is a question of leadership and awareness is the responsibility of leaders.
Most all successes are the result of a proper combination of People, Process, and Technology. The importance of these three items is apparent in the examination of the cyber security incidents that have gained national attention. It always starts with people. People can prevent breaches or people can cause them. Incidents can result from inadvertent behavior or by malicious intent. Cyber Security Awareness focuses on reducing inadvertent behavior that leads to failure of the security system. Often someone with malicious intentions takes advantage of the inadvertent action, but that is not always the case. There is not always a bad guy trying to take advantage of others.
Safety in manufacturing plants is not the same as safe computing but safety awareness is remarkably similar to Cyber Security Awareness. During my career before academia, I had the privilege of observing a dramatic improvement in plant floor safety that resulted from leadership and awareness. General Motors went from having a mediocre safety record to being by far the safest manufacturing environment in the industry.
The journey from mediocrity to excellence started with recognition of the problem created by workplace injury. Leadership from the C-suite resulted in having all executives take safety training from the world leader in workplace safety, DuPont. Having been in the explosives business is is clear why DuPont emphasized safety.
The manufacturing organization followed the leadership of the VP of Manufacturing, Joe Spielman supporting the theme "Safety is Our Overriding Priority." The corporation regularly heard the message that came form DuPont, "All incidents can be avoided." The term "incident" replaced "accident" in the conversation because accidents imply that they are somehow unavoidable.
Measurements were put in place; goals were set and clearly articulated. For example the goal at one assembly plant in Oshawa was a 50% reduction in lost time injuries and “recordable” injuries every three years. This led to reducing lost work day cases per 100 employees from 13 in 1994 to under 1 before the close of 2001. In 2002, GM plants from around the world had achieved an industry leading 3.6 recordable incidents per 200,000 hours worked compared to an industry average of 20.3. [1]
A practice that helped lead to the improvement was attention to "near-misses." These were recorded and analyzed at safety meeting which were mandated to occur regularly. In our office environment, we held these meeting weekly. The clear goal was fool-proofing the system. In all plants, serious near-misses required the Plant Manager to tour and assess the situation within 24 hours. Supervisors and team leaders were required to investigate all actual incidents before the end of a shift.
There is a strong parallel between this example and the Stop. Think. Connect. campaign coming from the Department of Homeland Security. This is one of the primary concepts included in the DHS program in cyber security awareness.
I mentioned that there must be attention to People, Process, and Technology, The culture must change. An example from GM of the emphasis of balanced attention to People, Process, and Technology can be found in the 2004 announcement of a new safety device aimed at reducing railcar workplace injury. A joint union-management memo stated, "constant vigilance to the safety process and ongoing training to ensure compliance to safe operating practices is necessary to protect all employees."
All of this provides a nice story for safety management. Why don't we do that for cyber security? Who is providing leadership? Who is measuring the organization? What are the goals?
I am organizing a Colloquium on Cyber Security Awareness to start a conversation about how we improve security within populations such as the general public that is involved using hundreds of apps and social computing, our customers who use our IT infrastructure to communicate with us, our employees who have access to the information we need to secure, and students who are the future of computing. This event will come in October, National Cyber Security Month.
References
[1] M. Rosen, General Motors: Achieving and Maintaining World-Class Leadership in Worker Health and Safety in the Automotive Industry, Safety Management Education, May 2008, available on line at: http://safetymanagementeducation.com/wp-content/uploads/2015/06/Case_Study_GM_Truck_Plant_Case_study.pdf on 22 July, 2016.