Enterprise 2.0 Insecurities

by Andrew McAfee on November 27, 2006

After I posted on Avenue A | Razorfish‘s Enterprise 2.0 Intranet, a few commenters pointed out a potentially troublesome feature.  When employees (or anyone else, for that matter) add the tag ‘AARF’ in del.icio.us, Flickr, or Digg, the so-tagged items show up within the company’s Intranet.  The intent of this feature, as I wrote, is to let employees easily and automatically make each other aware of potentially interesting content on the Internet.

Because these ‘AARF’ tags are universally visible, however, other companies can also see them and take advantage of them.  It would be technically straightforward for a competitor to scan del.icio.us, Flickr, and Digg for the ‘AARF’ tag, thereby seeing what Avenue A | Razorfish employees are highlighting for each other.  As Microsoft’s Alex Barnett posted:

"A potential issue to point out here. Since employees are using the AARF tag to share content with other employees and they are doing so on public sites such as del.icio.us, I can also see what AARF employees are bookmarking and sharing with other AARF employees. Is that a good thing? We’ll, it’s good for me :-). But is that good for AARF? Look, here is a sample. From a cursory look at the AARF tagged bookmarks, I can tell:
  • Someone is probably lobbying HR for Starbucks coffee machines at the office (I can’t blame them…)
  • Someone is studying Second Life’s audience size, probably as an opportunity to either establish their own presence for the agency, or collating info so they can advise clients
  • Someone is trying to figure out the ROI on blogging (rather you than me…)
  • Someone is interested in mobile social software apps

Are they giving away company secrets? Lobbying for Starbucks coffee machines, er, probably not. Corporate Second Life plans for AARF? Maybe…"

Avenue A | Razorfish’s Ray Velez responded on my blog:

"anyone can use the aarf tag and associate it with a bookmark. This potentially lets us get information from a larger audience. Which may turn out to be a bigger spam issue more than anything else. The only information that can be gleaned from this is what we think is interesting in terms of websites out there. Check out Alex Barnett’s post for a good explanation and yes I do like Starbucks coffeesmile. If it’s a site we want to keep behind a firewall we can make it private. The tagging algorithm and keywords we use internally to add metadata to wiki content and documents is completely behind the firewall."

This exchange highlights a deep issue around the use of Enterprise 2.0 platforms, which are by their nature more open, transparent, and visible than communication channels like email.  Most of my work has stressed the benefits of using these platforms, but there are also potential drawbacks.  

Perhaps the most obvious of these goes by the label ‘security.’  It’s the fear that the wrong content will show up on the platform, and/or that it will be viewed by the wrong people.  The wrong people include competitors, clearly, but also perhaps dishonest employees who would be willing to sell secrets if they have access to them.  They might also include regulators, especially if employees post the wrong content.  For a regulator, this would include information that leaped over a Chinese wall.  

For a boss, there are many more flavors of wrong content —  trade secrets, hate speech, information that gets discovered by the other side’s lawyers, information that becomes a public relations disaster, etc.,  With all these risks, Enterprise 2.0 can seem like more trouble than it’s worth.  In a November 21 story in the Times, for example, a lawyer who advises universities says that blogging by college presidents is ‘an insane thing to do.’  

At the risk of underplaying real security concerns, I want to make a case for a laid-back / laissez faire approach to security and Enterprise 2.0.  The main reason this approach will work is a simple one:  people already know how to behave appropriately, and they’re not going to be driven suddenly wild by the appearance of the new platforms.

They’ve had access to phones, faxes, copiers, USB drives, email, and IM for a while now, and so have had plenty of opportunity to wreak havoc with security.  Despite the existence of these tools, most companies haven’t seen all their secrets made public or been sued out of existence.  Shouldn’t this tell us something about the extent to which people can be trusted to use communication tools appropriately?

Granted, Enterprise 2.0 platforms bring some new challenges.  Foremost among them is probably the fact that contributions to these platforms are intended to be persistent over time and visible to all members.  This implies that training and explicit policies about appropriate and inappropriate contributions might be useful.  But I don’t think it implies that Enterprise 2.0 represents a security risk so large that it should be shunned, or approached only with great caution.

I find it telling that the new communication and collaboration platforms have taken off most quickly in high tech industries despite the huge premium tech companies place on secrecy and protection of intellectual property.  This is partly due to the fact that these companies are full of techies, but it’s also because these firms operate in incredibly dynamic environments and so have particularly acute information sharing needs.  It makes sense, then, that they’d be the first to adopt new tools that let people keep up to date with the latest developments, and with each other.  

Let me end this post by suggesting a thought experiment.  Imagine two competitors, one of which has the guiding principle "keep security risks and discoverability to a minimum," the other of which is guided by the rule "make it as easy as possible for people to collaborate and access each others’ expertise."  Both put in technology infrastructures appropriate for their guiding principles.  Take all IT, legal, and leak-related costs into account.  Which of these two comes out ahead over time?  I know which one I’m betting on.

 

  • http://www.cogenz.com/blog Niall Cook

    Andrew, these are real risks to companies but you are right to make the case for a laid-back approach. I think that’s fine when there are no suitable alternatives, but in this particular case they are plenty of commercial and open source options that would have allowed AARF to get the benefits from tagging AND keep their tags private. Just because a service is popular in the consumer space, doesn’t mean you shouldn’t look at other options in the work space.

  • http://www.waykm.com Raj Kumar

    The concept of ‘emergence’ eloquently describes the evolution of intelligence on the internet. There was nothing to begin with. Then Web 2.0 brought about a cumulative intelligence that works because of the size of the net. In the enterprise we are aware of a higher form of intelligence in operation – collective intelligence. It has to be developed on each event. Nonaka conceived the spiral of knowledge (http://www.dialogonleadership.org/Nonaka-1996cp.html) to evolve the intelligence. The collective memory (as created by accessible repositories) and cumulative intelligence (as returned by search engines) are its components. Creative Destruction in context would be another name for the spiral.

    AARF has made great progress in using IT for cumulative intelligence and the collective memory. It is difficult to believe the spiral is possible with SLATES. Till IT can make the spiral possible the virtual space of the enterprise will remain virgin.

    Is Security negotiable? Likely not. IT has to protect the space else its creation will be incomplete.

  • http://www.innovationcreators.com/2006/11/i_am_leaving_ernst_young.html Innovation Creators
  • Andrew Scherer

    Being in a global financial services organization that is at the doorstep of contemplating how to best leverage wikis, blogs and collaboration we can’t help but wonder how to manage this balance. The regulatory environment is where we live, and for good cause. Yet the need to collaborate across the globe more effectively is greater than ever.

    I want to but can’t agree about the inherent ability of people to behave themselves. I’ve seen too many things go wrong when a laissez faire approach is taken, I’ve had to take down systems and seen colleagues disciplined for the actions of their reports. Perhaps there’s a tipping point where scale requires a greater degree of control or focus to keep order about the house?

  • http://www.accmanpro.com Dennis Howlett

    I’m (sadly) with Andrew Scherer on this. It’s important to remember that many companies have real regulations to deal with. It was one of the big spurts behind DM/KM.

    These were fierce projects that imposed a huge amount of control. In some industries, that’s plain necessary – like pharma.

    Suddenly relaxing those ‘rules’ based systems overnight could be catastrophic without extremely careful planning and execution.

    So while I wouldn’t go as far as Andrew, I would pilot somewhere I thought relatively safe AND behind the firewall AND with some degree of moderation but with a firm feedback loop engaging employees so that they gradually feel more responsible AND valuable. That itself requires planning, a series of milestones mapping out and rewards/sanctions in place that are clearly understaood and agreed by all.

    In fact – go one better and get employees to figure that out as part of the implementation process.

    I think it’s important to remember that the real value starts from inside the business so there is no need to be taking unnecessary risks. It explains why the likes of iUpload and Blogtronix are getting a lot of attention right now. They have that fine grainerd control.

  • Andrew Scherer

    Dennis, I was reflecting having been burned, I guess it sounded too draconian – I still have faith. Our chairman actively wants to explore live chats, blogs and wikis in the full light of day. I think we have a great opprotunity and I want our lessons brought to bear on future implementations.

    I also need to encourage dialogue with the legal and compliance communiteies to show how these tools are little different from the risk inherent in email – it’s essentially unfettered from a technlology deployment perspective and has proven to be effectively goverened by our communication and confidentiality policies.

    Cheers,
    Andy

  • http://libraryclips.blogsome.com John Tropea

    What about using social bookmarks like Jots, Magnolia, Connotea (I think), don’t all these have group features, so only members from the group will see the entries.

    I’m sure you can leverage these tools to fit your scenario

  • http://www.connectbeam.com Puneet Gupta

    “Let me end this post by suggesting a thought experiment. Imagine two competitors, one of which has the guiding principle “keep security risks and discoverability to a minimum,” the other of which is guided by the rule “make it as easy as possible for people to collaborate and access each others’ expertise.” Both put in technology infrastructures appropriate for their guiding principles. Take all IT, legal, and leak-related costs into account. Which of these two comes out ahead over time? I know which one I’m betting on.”

    Prof. McAfee, we at Connectbeam are betting right along side with you.
    However, for enterprises, we feel the choice may not be as binary as:
    1. keep security risks and discoverability to a minimum
    2. make it as easy as possible for people to collaborate and access each others’ expertise

    We feel a combination of these is the sweet spot for enterprises. We are seeing this increasingly validated at Connectbeam.

  • http://dog-allergies.blogspot.com dog lover

    as suggested new social bookmarking sites have a private option in which only allowed individuals are allowed to view your bookmarks..

  • http://jedsundwall.com Jed Sundwall

    The great takeaway from this, for me, is that the security risks attributed to E2.0 are typically overstated, and ignore the relative stability of the status quo (“phones, faxes, copiers, USB drives, email, and IM”).

    And “training and explicit policies about appropriate and inappropriate contributions” have always been useful, but they are imperative now. We’re still working to identify and codify best practices around public/online sharing, and I imagine we’ll be learning (plenty of hard) lessons for years to come.

  • http://amielazim.wordpress.com/2010/08/14/the-good-the-bad-and-the-ugly-of-enterprise-2-0/ The Good, The Bad and The Ugly of Enterprise 2.0 « Amiel's Blog

    [...] McAfee, A. 2010. Andrew MacAfee’s Blog: The Business Impact of IT [...]

Previous post:

Next post: