Yesterday we had our monthly all hands meeting at my company. In these meetings we allocate some time to various things to increase our team’s knowledge and skills. This time we looked at information security, and I gave a little intro to start a more long term discussion and effort to raise information security in our company.
When people discuss information security it’s often along the lines of ‘if you want to do it right I’d have to go full paranoid, and that is completely over the top, so I won’t bother with it at all’. This is akin to saying that because it makes no sense to turn your home into an impenetrable fortress against invaders, you’ll just leave the door standing open. In practice you’ll do something in between those two extremes, and have locks on the door.
Fortress or open door? That’s a false dilemma. (fortress by Phillip Capper, CC-BY, open door by Hartwig HKD, CC-BY-SA and locked door by Robert Montalvo CC-BY)
You know the locks on your door won’t keep out very determined burglars or say a swat team, but it will raise the time and effort needed for less determined invaders to a point they will be discouraged.
At the same time keeping the door closed and locked isn’t just useful to keep out burglars but also serves as a way to keep out the wind, rain and leaves and dust blowing in from the street.
Similarly in information security you won’t keep out determined government three letter agencies, but there too there are basic hygiene measures and a variety of measures to raise the cost of more casual or less determined attacks. Like with preventative measures at home, information security can be viewed in layers on a spectrum.
I tried to tease out those layers, from the most basic to the most intensive:
- hygiene
- keeping your files available
- basic steps against loss or theft, also on the road
- protect client information, and compliance
- secure communication and exchanges
- preventing danger to others
- traveling across borders outside of the Schengen area
- active defence against being targeted
- active defence against being targeted by state actors
For each of those levels there are multiple dimensions to consider. First of all in recent years a new group of actors interested in your data has clearly emerged. The tech companies for whom adtech is their business model started tracking you as much as they can get away with. This adds the need for measures to all but the most intensive levels, but especially means the basic levels intensify.
Then there’s the difference between individual measures, and what can be arranged at the level of our organisation, and how those two interplay.
Practically each level can be divided first along the lines of our two primary devices, laptop and phone. Second, there’s a distinction between technological measures, and behaviour (operational security).
the list of levels, and the distinction in dimensions as I showed them yesterday
I provided examples of how that plays out on the more basic levels, and on the most intensive level. E.g. on the level of hygiene, technological measures you can think of are firewalls, spam and virus filters, a privacy screen, ad blockers and tracker blockers, using safer browsers. Behavioural measures are not clicking links before checking what they lead to, recognising phishing attempts, not plugging in usb sticks from others, using unique user names and passwords, using different browsers for different tasks, and switching off wifi, bluetooth and gps (on mobile) when you’re not specifically using them.
Over the years working on open data I’ve increasingly become aware of and concerned about information security, and since early 2014 actively engaging with it. I’m more or less at level 7 of the list above, and with the company I think we need to be at level 5 at least, whereas some of us haven’t quite reached level 1 at the moment. From the examples I gave, and showing some of the (simple) things I do, we had a conversation about the most pressing questions and issues each of us has. This we’ll use to sequence steps. We’ll create short faq’s and/or how-to sheets, we’ll suggest tools and behavioral measures, suggest what needs a collective choice, and provide help with adoption / implementation. I feel with this we have a ‘gentle’ approach, that avoids overwhelm that leads to not taking measures at all.
The first things people mentioned because they were worried about it are: usernames/passwords, e-mail, trackers, vpn, and handling copies of ID’s.
So we’ll take those as starting points.
If you want to read up on information security and operational security around your devices, dearly missed Arjen Kamphuis’s book on information security for journalists is a very useful resource. My approach as described is more geared to the actual context of the people involved, and what I know about their habits and routines, and to the context of our work and typical projects.
Increasing Information Security (Zylstra.org)
Ton, a very interesting resource for your team towards information security is Daniel Verlaan’s Laat Je Niet Hack Maken. It gives a good overview of the various actions you can take for the first 5 layers of your model. You can check it at laatjeniethackmaken.nl
A week spent mostly at home (due to a national holiday on Thursday, and a nation wide public transport strike on Tuesday) in which:
I worked on my company’s admin and book keeping
We had our monthly all-hands meeting on Wednesday, where I did a first session on information security and operational security
I pitched myself for taking on a national project on responsible data use by (decentral) public institutions
Elmine and I prepared for Peter’s Crafting {:} a Life unconference next week
I worked on an open data project for a province
The little one turned 3 years old
Wrote a pitch for an energy poverty experiment using open data, as part of a design sprint that takes place next week
Went to a former dorm mate’s 50th birthday, with many dear friends present. It’s a luxury to just be and hang-out together, because you’ve known each other for 30 years, apart from catching up on the most recent context</.li>
22 by Edward and Caroline, license CC-BY-SA
Today 17 years ago, at 14:07, I published my first blog post, and some 2000 followed since then. Previously I kept a website that archive.org traces back to early 1998, which was the second incarnation of a static website from 1997 (Demon Internet, my first ISP other than my university, entered the Dutch market in November 1996, and I became their customer at the earliest opportunity. From the start they gave their customers a fixed IP address, allowing me to run my own server, next to the virtual server space they provided with a whopping 5MB of storage .) Maintaining a web presence for over 22 years is I think the longest continuous thing I’ve done during my life.
Last year I suggested to myself on my 16th bloggiversary to use this date yearly to reflect:
In the past 12 months I’ve certainly started to evangelise technology more again. ‘Again’ as I did that in the ’00s as well when I was promoting the use of social software (before it’s transformation into, todays mostly toxic, social media), for informal learning networks, knowledge management and professional development. My manifesto on Networked Agency from 2016, as presented at last year’s State of the Net, is the basis for that renewed effort. It’s not a promotion of tech for tech’s sake, as networked agency comes part and parcel with ethics by design, a perception of digital transformation as distributed digital transformation, and attention in general for how our digital tools are a reflection and extension of our human networks and human nature (when ‘smaller‘ and optionally networked for richer results).
Looking back 12 months I think I’ve succeeded in doing a few things on the level of my own behaviour, my company, my clients, and general communities and society. It’s all early beginnings, but a consistent effort of small things builds up over time steadily I suppose.
On a personal level I kept up the pace of my return to more intensive blogging two years ago, and did more to make my blog not only the nexus but also the starting point for most of my online material. (E.g. I now mostly send out Tweets and Toots from my blog directly). I also am slowly re-adopting and rebuilding my information strategies of old. More importantly I’m practicing more show and tell, of how I work with information. At the Crafting {a} Life unconference that Peter organised on Prince Edward Island in June I participated in three conversations on blogging that way. Peter’s obligation to explain is good guidance in general here.
For my company it means we’ve embarked on a path to more information security awareness, starting with information hygiene mostly. This includes avoiding silos where possible, and beginning the move to a self-hosted Slack-like environment and our own cloud. This is a reflection of my own path in this field since the spring of 2014, then inspired by Brenno de Winter and Arjen Kamphuis, whose disappearance a year ago made me more strongly realise the importance of paying lessons learned forward.
With clients I’ve put the ethics of working with data front and center, which includes earlier topics like privacy law, data sovereignty and procurement, but also builds on my company’s principle of always ensuring the involvement of all external stakeholders when it comes to figuring out the use and value of open government and open data. Some of that is awareness raising, some of that is ensuring small practical steps are taken. Our company is now building up a ‘holistic’ data governance program for clients that includes all this, not just the technical side of data governance.
On the community side several things I got myself involved in are tied to this.
As a board member of Open Nederland I help spread the word about how to allow others to make use of your work with Creative Commons licenses, such as at the recent Open Access Week organised by the Leeuwarden library. Agency and making, and especially the joy of finding (networked) agency through making, made possible by considered sharing, was also my message at the CoderDojo Conference Netherlands last weekend.
Here in the Netherlands I co-hosted two IndieWebCamps in Utrecht in April, and in Amsterdam in September (triggered by a visit to an IndieWebCamp in Germany a year ago). With my co-organiser Frank we’ve also launched a Meet-up around IndieWeb in the hope of more continuously engaging a more local group of participants.
I’ve also contributed to the Copenhagen 150 this year at Techfestival, which resulted in the TechPledge. Specifically I worked to get some version of being responsible for creating ongoing public debate around any tech you create in there, to make reflection integral to tech development. I took the TechPledge, and I ask you to do the same.
Another take-away from my participation in the Copenhagen 150, is to treat my involvement in the use and development of technology more deliberately as a political act in its own right. This allows me to feel a deeper connection I think between tech as extension of human reach and global topics that require a sense of urgency of humanity.
Here’s to another year of blogging, and, more importantly, reading your blog!
As of our last all hands meeting we have moved our company to using NextCloud on a server in a German data center. This is the second major step in improving on our information hygiene in the company, after adopting RocketChat and leaving Slack.
I had created the cloud already last May, but we had not transitioned everyone in the company and all our work. That transition has now been made.
It allows us to avoid having to work with clients in cloud environments like Google Docs, it has OnlyOffice for online collaboration in documents, it allows to avoid file transfer services in favor of being able to provide (time limited, password protected) download links from our own server, and it has integrated STUN/TURN support so we can do (video)conference calls from within our own environment. It’s a managed server/service for a few hundred Euros per year. A key benefit is being able to nudge our clients to routines less exposed to the data hungry silos, and also to show compliance with (regularly inconsistent and differing) rules regarding which online services they do and don’t allow. Setting an example is in itself a benefit given our work on transparent data governance, data ethics and accountability.
In the coming weeks we’ll aim to get fully accustomed to our new working environment, but so far it has been pretty self-evident.
Screenshot from working with a colleague in OnlyOffice (content blurred obviously)
We are working our way through a list of things to improve our overall information hygiene, a discussion I started last spring. It involves changes at the company level (like Nextcloud and Rocketchat) and changes at the individual level (helping colleagues e.g. with password management. We moved all of us onto the same password manager, that also includes the option to share passwords from a company account). It focuses on tools and technological measures, as well as on behaviour and work routines. And it looks at both laptop and mobile devices. I’ve created a ‘information hygiene ladder’ on those three dimensions, with a different level of information security at each rung, that we can strive for. The upper end, the “I’m being targeted by a three letter agency”, we’ll never address I’m sure. But there is a wealth of opportunities to improve our information security level before that extreme stage.