Surprisingly often, a breaking news story falls into our laps at precisely the right moment.
Today, I've been developing a general staff awareness presentation on privacy. Three core messages appeal to me, this time around:
- Privacy is an ethical consideration - something we anticipate or expect of each other as members of a civilized society.
- Privacy is also a compliance obligation - something enshrined in the laws of the land and imposed on our organizations.
- Those two issues together make privacy a business issue.
So, what's been all over the news lately in relation to privacy? Why, the latest Facebook incident, of course.
I'm not going to re-hash the story now, nor draw out the privacy lessons for you. I've given you more than enough of a clue already, and if you read the press coverage with a slightly cynical and jaundiced eye, you'll find your own take on the incident - as indeed will our subscribers' employees ... which makes it an excellent, highly relevant case study to incorporate into the awareness content.
Thanks to the saturation media coverage, we barely need mention 'Facebook' for people to think of the incident. Almost all will have seen the news reports. Those who use Facebook (a substantial proportion of people, we are led to believe) probably have perfectly reasonable concerns about their own privacy. Those who don't use it are also implicated, although we might need to explain that a little. Either way, it's something they can relate to, a story that resonates and has impact. We can pose a few questions that they can contemplate, in their own way, in their own time.
We will exploit their interest to engage them with the awareness program so, in a way, we are also exploiting the victims' personal information, but (we assert) it's for their own good, for the benefit of their employer and for the sake of human society. We mean well. We are not even vaguely approaching the boundaries of decency or legislation. Public incidents of this nature are perfectly legitimate and in fact rich resources for awareness, training and educational purposes. It would be a waste to let them drift back below our consciousness without milking them for all they're worth.
The real trick is to be constantly scanning the horizon for relevant news items. Information security is such a broad topic that finding stuff is hardly ever the issue - the very opposite in fact. The Facebook incident, for instance, is directly and obviously relevant to privacy, but also to incident management, compliance, governance, information risk, information security, cybersecurity, social engineering, fraud, accountability, business continuity and more.
Ethically speaking, I have no qualms about using reported incidents in this way, particularly where the protagonists are implicated in the incidents rather than merely being the poor unfortunate victims of some malicious third party. I'm currently trying to track down the original source of a quoted Goldman Sachs assessment of the eye-wateringly huge amount of revenue Facebook may forgo once GDPR comes into effect, with the strong implication that they have been making their fortune by exploiting the personal information of their users. OK so it may have been entirely legal, but was it appropriate? Was it ethical? Was it socially acceptable? These rhetorical questions hint at how we might explore the same incident from the business perspective in the management awareness materials, making a link that will hopefully get staff and managers thinking and talking animatedly about privacy.
And that's another security awareness win, right there.