Enterprise 2.0 Insecurities

After I posted on Avenue A | Razorfish‘s Enterprise 2.0 Intranet, a few commenters pointed out a potentially troublesome feature.  When employees (or anyone else, for that matter) add the tag ‘AARF’ in del.icio.us, Flickr, or Digg, the so-tagged items show up within the company’s Intranet.  The intent of this feature, as I wrote, is to let employees easily and automatically make each other aware of potentially interesting content on the Internet.

Because these ‘AARF’ tags are universally visible, however, other companies can also see them and take advantage of them.  It would be technically straightforward for a competitor to scan del.icio.us, Flickr, and Digg for the ‘AARF’ tag, thereby seeing what Avenue A | Razorfish employees are highlighting for each other.  As Microsoft’s Alex Barnett posted:

"A potential issue to point out here. Since employees are using the AARF tag to share content with other employees and they are doing so on public sites such as del.icio.us, I can also see what AARF employees are bookmarking and sharing with other AARF employees. Is that a good thing? We’ll, it’s good for me :-). But is that good for AARF? Look, here is a sample. From a cursory look at the AARF tagged bookmarks, I can tell:
  • Someone is probably lobbying HR for Starbucks coffee machines at the office (I can’t blame them…)
  • Someone is studying Second Life’s audience size, probably as an opportunity to either establish their own presence for the agency, or collating info so they can advise clients
  • Someone is trying to figure out the ROI on blogging (rather you than me…)
  • Someone is interested in mobile social software apps

Are they giving away company secrets? Lobbying for Starbucks coffee machines, er, probably not. Corporate Second Life plans for AARF? Maybe…"

Avenue A | Razorfish’s Ray Velez responded on my blog:

"anyone can use the aarf tag and associate it with a bookmark. This potentially lets us get information from a larger audience. Which may turn out to be a bigger spam issue more than anything else. The only information that can be gleaned from this is what we think is interesting in terms of websites out there. Check out Alex Barnett’s post for a good explanation and yes I do like Starbucks coffeesmile. If it’s a site we want to keep behind a firewall we can make it private. The tagging algorithm and keywords we use internally to add metadata to wiki content and documents is completely behind the firewall."

This exchange highlights a deep issue around the use of Enterprise 2.0 platforms, which are by their nature more open, transparent, and visible than communication channels like email.  Most of my work has stressed the benefits of using these platforms, but there are also potential drawbacks.  

Perhaps the most obvious of these goes by the label ‘security.’  It’s the fear that the wrong content will show up on the platform, and/or that it will be viewed by the wrong people.  The wrong people include competitors, clearly, but also perhaps dishonest employees who would be willing to sell secrets if they have access to them.  They might also include regulators, especially if employees post the wrong content.  For a regulator, this would include information that leaped over a Chinese wall.  

For a boss, there are many more flavors of wrong content —  trade secrets, hate speech, information that gets discovered by the other side’s lawyers, information that becomes a public relations disaster, etc.,  With all these risks, Enterprise 2.0 can seem like more trouble than it’s worth.  In a November 21 story in the Times, for example, a lawyer who advises universities says that blogging by college presidents is ‘an insane thing to do.’  

At the risk of underplaying real security concerns, I want to make a case for a laid-back / laissez faire approach to security and Enterprise 2.0.  The main reason this approach will work is a simple one:  people already know how to behave appropriately, and they’re not going to be driven suddenly wild by the appearance of the new platforms.

They’ve had access to phones, faxes, copiers, USB drives, email, and IM for a while now, and so have had plenty of opportunity to wreak havoc with security.  Despite the existence of these tools, most companies haven’t seen all their secrets made public or been sued out of existence.  Shouldn’t this tell us something about the extent to which people can be trusted to use communication tools appropriately?

Granted, Enterprise 2.0 platforms bring some new challenges.  Foremost among them is probably the fact that contributions to these platforms are intended to be persistent over time and visible to all members.  This implies that training and explicit policies about appropriate and inappropriate contributions might be useful.  But I don’t think it implies that Enterprise 2.0 represents a security risk so large that it should be shunned, or approached only with great caution.

I find it telling that the new communication and collaboration platforms have taken off most quickly in high tech industries despite the huge premium tech companies place on secrecy and protection of intellectual property.  This is partly due to the fact that these companies are full of techies, but it’s also because these firms operate in incredibly dynamic environments and so have particularly acute information sharing needs.  It makes sense, then, that they’d be the first to adopt new tools that let people keep up to date with the latest developments, and with each other.  

Let me end this post by suggesting a thought experiment.  Imagine two competitors, one of which has the guiding principle "keep security risks and discoverability to a minimum," the other of which is guided by the rule "make it as easy as possible for people to collaborate and access each others’ expertise."  Both put in technology infrastructures appropriate for their guiding principles.  Take all IT, legal, and leak-related costs into account.  Which of these two comes out ahead over time?  I know which one I’m betting on.