There has been substantial press coverage about how recruiters examine job candidates’ social media profiles to gain a bit more insight about prospective employees. While the merits and ethics of doing so are subject to substantial debate, there is evidence to suggest that social media can provide some interesting clues about how vulnerable some people are to phishing scams.
For example, 100 students from an undergraduate psychology at the Polytechnic Institute of New York were sampled. These students a) completed a survey focused on their beliefs and habits with regard to online behavior; b) asked about how likely they thought they would be the victim of online crime, such as password theft; and c) completed a personality assessment survey. After completing these activities, these students were then sent obvious phishing emails.
One out of six of those tested – most of whom were engineering or science majors – fell for the scam emails. Ignoring the gender differences of those who were most likely to fall for the phishing emails in this study (nope, you’re not getting me into that Vietnam War), the researchers found that hose with the most “open” personalities – i.e., those who are most extroverted – were more likely to fall for phishing scams. The findings strongly suggest that people who overshare on Facebook or Twitter, for example, are more likely to become victims of phishing scams and other online fraud than those who are more introverted, share less or who don’t even have social media accounts. Another study found that younger students (aged 18-25) were more likely to fall for phishing scams than their younger counterparts.
So why the differences:
- Extroverts tend to be more optimistic overall and so may be less inclined to assume that suspicious emails are being sent to them for nefarious reasons. Introverts, on the other hand, are generally less optimistic and so may be more skeptical of the world around them, including of emails that don’t seem quite right.
- Extroverts may have a perception of upside benefit vs. downside risk that is at odds with the needs of the corporate security model. For example, the ability to gain some perceived benefit by responding to an offer in a phishing email or friending a stranger in social media may overwhelm whatever training users might have received about the risks of these kinds of behaviors.
The issue for corporate security managers is obviously good user training and robust security technology. However, the missing element may end up being the critical need to evaluate those personality types that are most vulnerable to being fooled by phishing scams, malicious social media contacts and the like.
Years ago I worked for Dr. John Ryan, a very bright man who is now a senior manager at Google. He would periodically mention in talks that fighter jets are getting lighter and faster over time, so much so that if you extrapolated their weight and speed far enough into the future, they would eventually weigh nothing and fly infinitely fast. He would then ask what that described…the answer was software.
I attended EMC World this week and came away reminded of that story. One of the key themes at this annual conference was “the third platform” – the growing movement toward lightweight applications and rapid application development focused on the needs of an increasingly mobile workforce and society. Although the first platform (mainframes) and second platform (client/server and Web) are still quite relevant, the third platform, characterized by increasingly rapid development and lighter applications as we migrate toward the Internet of Things, represents the direction that computing is moving, and rather quickly at that.
What are the implications?
- It means very rapid application development that integrates data, analytics and applications in a continuously evolving loop to generate applications and updates to them very quickly, sometimes in just a matter of hours instead of the months or years that traditional software development requires.
- It means a zero-tolerance for downtime, since applications are updated on-the-fly instead of the traditional model of bringing down a server, installing the update and then bringing it back up – or worse, having the server or the application break (this point was driven home in one session that showed the healthcare.gov Web site and its downtime message seen and enjoyed by millions). That doesn’t mean that servers won’t ever go down in the third platform, only that the third platform is designed to operate with no scheduled downtime.
- It means that every company becomes a software company (sort of) in the model of Google or Facebook, designing applications for customers to use as an interface to services instead of the traditional customer service model.
- It means that data volumes increase exponentially as large volumes of rich data replace the text-based systems of the first and second platforms.
- It means a continued shift toward massive amounts of CPU power and very cheap storage, all of which is allocated dynamically based on the workloads that need to be addressed at the moment.
I was impressed by EMC’s approach at the conference in a couple of ways. First, the company today derives at least 95% of its business from the second platform. Some companies might wait until they were bleeding profusely before entertaining a shift to a new business model, but EMC seems to be reasonably proactive about shifting their business away from their bread and butter. There’s something to be said for management that can not only read the handwriting on the wall, but to heed its advice before it’s too late. Second, EMC were quite frank about where they have not done a good job. That may have been because they were talking to an analyst community that would have seen through fluffy platitudes anyway, but I got the impression that there is a new level of frankness on the part of the company’s management – quite refreshing for such a large company.
Also impressed by EMC’s acquisition of DSSD, a seemingly well-funded, very stealthy, four-year-old startup focused on developing very high-speed flash memory arrays. Don’t know much about them, and EMC was not overly forthcoming on the specs for their technology, but this certainly bears watching. GigaOM had a good article on DSSD last year that you can view here.
EMC, like all hardware companies, is making a somewhat painful set of transitions: most notably to the third platform and to a cloud-delivery model that often just means customers want to pay less for what they already have. On balance, EMC seems to be making the transition fairly well.
We have recently conducted a healthcare-focused survey for Netmail and found that HIPAA violations are just waiting to happen. For example, our research found that:
- 33% of the organizations we surveyed do not have a data loss prevention (DLP) solution that will monitor outbound email for potential HIPAA/HITECH violations.
- 20% have not established any anti-spam, anti-virus, DLP, encryption or other standards with organizations with which they have HIPAA Business Associate Agreements.
Our research also found that various file-sharing and social media tools are used in healthcare organizations, including Dropbox, Box, Google Drive, Microsoft OneDrive, SharePoint, Novell Vibe and a variety of other tools. While these tools are quite useful and almost always work as advertised, their use in a healthcare-related environment – hospitals, clinics, medical practices, doctors’ offices, insurance companies, benefits administrators and others that share PHI – might not be a good idea without the appropriate technologies in place to protect against accidental or intentional disclosure of confidential or sensitive information.
As a result, many of the organizations we surveyed aren’t all that confident that they’re managing their data very well. For example:
- Only 59% of those surveyed believe that their organization is doing a “good” or “great” job at managing compliance.
- The same proportion believes they are doing a good or great job at preventing data leaks.
- 58% think they’re doing a good or great job at managing secure file sharing.
Interestingly, neither HIPAA nor HITECH require that PHI be encrypted during transmission or at rest, although some states require encryption, including Oregon and Minnesota. As a matter of best practice, however, all Covered Entities and Business Associates should encrypt data to ensure that unauthorized parties cannot intercept PHI.
For more information on our research and a discussion of these issues, check our blog post here.