Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/9/2017
04:06 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Security Must Stand Up to Bullying, Harassment

Today's IT security is about much more than data loss. It's time for the security group to embrace its role in protecting the people within the organization.

How far does enterprise security go? The news of late has been filled with stories of employees behaving very badly toward other employees. The real question is whether any of that behavior is a problem for the IT security group.

Back at the Black Hat conference in July, Alex Stamos, Facebook's chief security officer, gave a keynote address in which he made a compelling case for treating cyber stalking, bullying and harassing as an IT security problem rather than just an issue for HR.

The argument for involving IT security in these human behavior issues has several components; the behavior involves computers and networks, the victims and perpetrators are both using computers, and computer security has (or should have) as one of its goals the idea of minimizing the harm done to the organization by computers and their users.

When IT security takes on abusive use of its systems, several changes in thinking are required. The first change is from searching for traffic that damages the organization's data to looking for traffic that might damage the employees. The next is a change from being on guard primarily for technology-based attacks to guarding against behavior-based threats. But the foundation change is expanding and enhancing the definition of "harm" so that any of this matters to the IT security team's mission.

The most valuable asset
One of the catch-phrases of the modern business era is that data is an organization's most valuable asset. Well, that's when corporate management isn't telling potential and current employees that peopleare the organization's most valuable asset. If we just say that people and data are an organization's most valuable assets then it's a straight-forward path from there to a position where IT security should be watching after the safety of both.

IT security is already keeping an eye on behavioral issues; just about every company now trains employees on ways to safeguard data and equipment when traveling or opening strange email messages. The security group will often amplify that with technology that looks for ill-considered user behavior and protects the organization to some extent from its effects. From a strategic point of view it's a relatively small step from those actions to protecting users from bad behavior.

A most pervasive problem
Recent revelations make it clear that harassment, bullying and intimidation are far more common than most men were willing to admit -- women (and, in similar situations, individuals who are members of minority groups) have known about these horrible behaviors all along, even when organizational structures made it all but impossible for victims to talk about them. While much of the bahvior happens IRL (in real life, or face-to-face) the electronic trail that we've seen in several of these very public cases proves that IT is involved as the means for bad behavior in many instances.

IT can rightly take credit for many developments that have made organizations more effective and brought diverse viewpoints and experiences more fully into the business world. It's time for IT security to step up to protect those voice and the people who carry them so that all of us can continue to safely and confidently move forward.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...