ebook img

Managing Online Risk Apps, Mobile, and Social Media Security PDF

275 Pages·2014·7.33 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Managing Online Risk Apps, Mobile, and Social Media Security

Managing Online Risk Apps, Mobile, and Social Media Security Deborah Gonzalez Law2sm, LLC AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO • SAN FRANCISCO SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier Acquiring Editor: Brian Romer Editorial Project Manager: Keira Bunn Project Manager: Poulouse Joseph Designer: Alan Studholme Butterworth-Heinemann is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2015 Elsevier Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email: [email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Gonzalez, Deborah. Managing online risk : apps, mobile, and social media security / Deborah Gonzalez. pages cm ISBN 978-0-12-420055-5 (paperback) 1. Computer networks–Security measures. 2. Internet–Security measures. I. Title. TK5105.59.G67 2015 005.8–dc23 2014031130 British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN: 978-0-12-420055-5 For information on all Butterworth-Heinemann publications visit our web site at http://store.elsevier.com This book has been manufactured using Print on Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate. About the Author Deborah Gonzalez, Esq. is the founder of Law2sm, LLC, a legal consulting firm focusing on helping its clients navigate the security and legal issues relating to the new digital and social media world. Deborah is the co-developer of the Socially Legal Audit® tool that assists a company to ensure that their online activity is in line with state laws, federal laws, and regulatory compliance. Deborah graduated from New York Law School and is licensed to practice law in New York and Georgia. Deborah began her career in the corporate arena working in various positions in the information technology area—from network administrator to manager of the IS department for a top-6 CPA firm in New York City. During her tenure she managed day-to-day IT operations; designed and implemented IT-related training for employees, managers, and IT staff; developed policies and protocols for IT- corporate use; and monitored emerging trends for IT business strategies and management including IT security concerns. Deborah used this foundation as a starting point with her legal practice, which is now transporting her beyond the Internet to the social space where the physical and digital dimensions of her clients co-exist and where she can leverage her legal expertise to their benefit. Deborah is a sought after speaker, content contributor, and news commentator on online security issues and social media legalities. Past audiences include Fortune 500 companies, non-profit organiza- tions, professional associations (ISSA WIS, TAG), college communities (students, faculty, and admin- istration), legal professionals (lawyers and judges), both domestically in the US and abroad. Specific industries include: banking and financial, healthcare and medical, higher education, international trade, governments and politicians, marketing and public relations, and more. vii Online Resources Thank you for selecting Butterworth-Heinemann’s Managing Online Risk. To complement the learning experience, the author has provided a number of online tools to accompany this edition. They can be found at http://managingonlinerisk.com. The tools available include • Live links to chapter-specific resources and updates to case studies in the book, domestic and international. • Downloadable handouts and checklists that you can use for your company. • Useful infographics with additional statistics relating to online risk and security. • Shareable risk and security funnies and humorous videos that can be used for training or just a quick break to put things in perspective. • The Managing Online Risk (MORe) monthly blog with discussions on the latest risk management and security issues. • An event calendar with upcoming risk and security conferences as well as the latest information regarding author tour dates and venues. • A direct contact link to the author for questions and inquiries. • Access to the Elsevier eCommerce store for purchases. • And more. ix Introduction Engagement in online activity (including, but not limited to, social media) is quickly becoming nonnegotiable for many businesses and organizations as consumers continue to expect to be able to connect and interact with them in as many convenient ways as possible. There are many benefits to companies using digital and online technology, but there are many risks as well, the acknowledgment of which has led many an executive to question whether they should be in the space and how far they should go. News reports of companies getting into trouble because of compliance violations, loss of revenue because of reputational loss, and loss of customer trust because of confidentiality breaches bring concern to executives who are trying to balance the benefits of online activity and the potential loss of revenue due to negative public relations, litigation, and so forth. In this new digital environment, executives need to put into place best practices and measures of security and risk management that address concerns such as data collection, storage, and security; human resource recruitment and employee communications; compliance violations of federal and state laws, as well as professional trade oversight organizations; security of technology devices (mobile, apps, cloud computing, etc.); and more. This book strives to be a definitive resource by providing an overview of the risk mitigation strate- gies, solutions, and best practices to address risk, liability, and security concerns arising from corporate online and digital activity. It is a resource that executives and security professionals can turn to more frequently as issues related to risk management and security concerns arise from their corporate online and digital activity. In addition, in a first-of-its-kind, digital integration, this book has a companion Web site (www. managingonlinerisk.com) that was developed in parallel with the book, offering the latest updates and resources for the issues we discuss. You can imagine with the speed of change in the technology and xi xii Introduction security areas some of what I wrote in the first chapters were outdated by the time I got to the final chapter. Between when this book is published and when you read it, who knows where that technology will be. So, as online and digital security and risk management continuously evolve, you will find this Web site to be an invaluable tool to ensure that skills and knowledge are kept up-to-date with the latest environmental and technology changes. This book gives the foundations and the Web site provides the nuances based on what is happening now. Use both to reap optimal benefits of the information. Another interesting structure of this book is that it is based on content aggregation, seeking out the most recent information on the topics and integrating the best of them within the book itself. I took a “curation of content” approach to find the most up-to-date, interesting, and credible sources on the issues I discuss in the book. Again, because of the speed of change in the online technology and secu- rity area, some of these sources may end up contradicting themselves as technology and events evolve. For example, when I originally wrote about Bitcoin in Chapter 8, it was considered a currency. By the time I finished writing Chapter 10, we had a U.S. regulatory decision that Bitcoin and other virtual cur- rencies are “property,” not currency. More on that in Chapter 8. To ensure everyone receives the credit they deserve for their work, Creative Commons Licenses, the Fair Use Doctrine and traditional copy- right permissions are relied on to allow the reader to have the most up-to-date analysis of the trends occurring in online and digital security and risk management. This book presents readers with tools and resources to better understand the security and reputa- tional risks of online and digital activity, as well as tools and resources to mitigate those risks and mini- mize potential loss for their companies. These tools and resources include case studies; industry and expert profiles; lessons learned; overview of relevant laws, regulations, and professional guidelines by industry; sample policies, disclaimers, and online community guidelines; and more. This book contains 10 chapters focusing on particular areas of security and risk management concern in the digital and online environment. Since technology is all about connectivity, you will see that many of the issues discussed overlap and do not just fit in their designated chapters. However, each chapter was written to stand alone and still be comprehensive enough to offer strategic insight for that particular con- cern, so you as the reader can read the book sequentially or by chapter-topic interest. Except for Chapter 1, that is, which offers an overview of risk management and security concepts—a great place to start if you are new to the field or need a refresher recap—as well as Chapter 10, which focuses on what your com- pany’s future may or may not look like, and relies on previous concepts outlined throughout the book. With Chapter 2, we begin to explore specific internal and external risks associated with digital and online activity. The internal explores corporate security perception, priority and budget setting, tradi- tional and shadow information technology (IT), mobile and the Bring Your Own Device trend, and people, including employees, vendors, and third parties that can lead to cyber-risks such as computer security, computer viruses, computer fraud, and so forth. The external looks at issues with a lesser ele- ment of control for the corporation such as technology advances and new devices, cloud computing, hacking, regulation, and natural disasters and squirrels. Chapter 3 focuses on different aspects of digital identity in relation to a corporation’s reputation, including executive identity (specific individuals in the corporation) and brand identity (including vir- tual presence) of the corporation. The chapter defines these two identities and how they differ, explores why they are important in the digital space, and describes how they can be tarnished or lost because of digital activity. In addition, online activism (and hacktivism), social scoring, digital influence, and online credentials are discussed. The chapter offers various lessons learned and best practices to protect the identity and the corporate’s reputation. Introduction xiii Chapter 4 explores the use of digital and online activity as it relates to employee–employer relation- ships and constructs. The chapter progresses based on the employment cycle: recruitment, hiring, employment, and termination. Specific discussions on social media policies and strategies, the mobile workforce, millennials and other worker generations, monitoring of employee online activity, employee privacy concerns, and so forth. Chapter 5 focuses on an extremely important area related to online and digital activity—the collec- tion, use, and storage of data—especially as relating to client or potential client information. The debate between enhanced, targeted marketing to meet customer needs and personal privacy concerns will be discussed and will include big data, the social graph, personally identifiable information, recent attempts to control this area (legislation), and best practices. Chapter 6 looks specifically at data that are created for the digital space, the intellectual property rights and value they provide for a corporation, the risks of theft of intellectual property, the risks the content may create for the corporation (such as defamation, anticompetitive acts, etc.), and best prac- tices to reduce those risks, as well as strategies on what to do if theft occurs. Chapter 7 focuses on regulated industries (such as banking, health care, transportation, etc.) and the different risks associated with violation of compliance standards for online and digital activity. Discus- sions will focus on topics such as disclosure, disclaimers, professional trade oversight organizations and guidelines, federal and state legislation, and current best practices. For some, it may read like an alphabet soup—FDA, FTC, HIPAA, PCI DSS, OSHA, COPPA, and so forth. Chapter 8 looks at the risks associated with financial in the digital and online space by corporations including digital payment systems, digital and cryptocurrency (Bitcoin and others), crowdfunding, online microfinancing, online investments, and so forth. The second part of this chapter focuses on one specific purpose of corporate spending through advocacy and digital campaigns (lobbying, charitable fund-raising, etc.). Chapter 9 focuses on the emerging concerns of risks related to succession planning and manage- ment in the corporate environment. Topics such as succession planning, the IT security shortage, women in security, protection of digital assets, security of assets, continuation of digital activity and content management, digital expiration, and so forth will be discussed, as well as digital legacy, digital immortality, and digital resurrection. Finally, Chapter 10 takes a look into the future to explore the future of information security and risk management. Four possible future scenarios are presented: growth, transformation, constraint, and col- lapse. Then particular future concerns regarding specific technologies will be discussed including the Internet of Things, drones, health and medical sensors, big data analysis systems for security intelli- gence, and privacy evolution. Lastly, fear not: Although this book is written by an attorney, it is not written in legalese. Its per- spective is from a practical standpoint—business, strategy, and management—and its purpose is to be referred to and used again and again. I acknowledge that legal aspects will always be part of security and risk management, especially within the context of compliance, but this book is a not a legal treatise. You will learn enough to understand why the risks exist and why certain solutions and best practices are proposed—and enough to know when to pass it on to the attorney. If you are an attorney reading this book, this book can serve as a starting point for some legal principles and how they apply in the overall business setting, but do not stop here. So we begin with defining risk management and security in the context of the digital environment. Are they different because of this new context or have they just been expanded? CHAPTER 1 RISK MANAGEMENT DIGITAL STYLE Which risks are relevant? Those that impact business goals. Which risks impact business goals? They all do. Did you hear the one about the IT security officer who “resigned” after it was discovered that a data breach at its retail operations headquarters that affected millions of customers could have been avoided if only one of over 60,000 alerts had been heeded?1 Or the one about a security consultant who leaked information about a government surveillance program, bringing world leaders to the defense, who ended up exiled in Russia but had a great turnout at South by Southwest?2 Or how about the one of 1 Target Data Breach, 2013. 2 Edward Snowden, NSA leak, 2013. Managing Online Risk 1 Copyright © 2015 Elsevier Inc. All rights reserved. 2 CHAPTER 1 RISK MANAGEMENT DIGITAL STYLE computer engineers who lost their life savings and their jobs in the misplacement of digital currency?3 Or the one about the employee who left a company laptop connected to public Wi-Fi at the coffee shop that led to insider trading violations and criminal penalties?4 Or the one… I think you get the point. There have been a lot of “ones” in the news and even more not in the spot- light. In 2011, Verizon reported “855 incidents and 174 million compromised records.”5 To update that, the Online Trust Alliance (OTA) released their report in January 2014, which indicated that of over 500 data breaches in the first half of 2013 “31 percent of incidents were due to insider threats or mistakes; 21 percent resulted from the loss of computers, hard drives, and paper documents; 76 percent were due to weak or stolen account logins and passwords; and 29 percent of compromises resulted from social engineering.”6 What do these have in common? They all dealt with information technology in the online digital environment. As we begin our exploration of online risk and security, it is useful to make sure we are on the same page. Defining the lexicon of the landscape allows us to define risk management and security in the context of the digital environment and determine whether they are different because of this new context or because they have they just been expanded. Therefore, we begin with standard definitions of risk management, risk, security, and threat. You may have your own favorite you use, but we will stick with these as we head out. Risk management The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.7 Risk A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.8 Security The prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action; the extent to which a com- puter system is protected from data corruption, destruction, interception, loss, or unauthorized access.9 3 Mt. Gox and their misplacement of Bitcoin, 2014. 4 Raj Rajaratnam of the Galleon Group, 2014. 5 Verizon, 2012 Data Breach Investigations Report, http://www.verizonenterprise.com/resources/reports/rp_data-breach-inve stigations-report-2012-ebk_en_xg.pdf. 6 Pangburn, DJ, “2013 Was the Worst Year for Data Breaches,” Motherboard Blog, http://motherboard.vice.com/blog/2013- was-the-worst-year-for-data-breaches, January 23, 2014. 7 “What is Risk Management? Definition and Meaning,” http://www.businessdictionary.com/definition/risk- management.html#ixzz2ZsV0ylRk (accessed 2/8/2014). 8 “What is Risk? Definition and Meaning,” http://www.businessdictionary.com/definition/risk.html#ixzz2ZsV8eFjd (accessed 2/8/2014). 9 “What is Security? Definition and Meaning,” http://www.businessdictionary.com/definition/security.html#ixzz2ZsVYEske (accessed 2/8/2014).

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.