1. This guide emphasizes how information security strategy has changed over the past two decades due to advancements in technology. What do these changes mean for you personally in managing and securing your own personal systems and data?

2. Take a few minutes to conduct an Internet search on insider threats. Besides some of the high-profile cases of employees stealing and selling or distributing corporate data, what other examples can you find?

3. What kinds of collaboration tools have you used to complete class assignments and projects? Could these collaboration tools pose a risk to you? How?

4. How do you feel about the trend of companies using new technologies to monitor their employees? Would you want to work for a company that uses monitoring technologies? Why or why not?

5. Monitoring digital activity is not exclusive to the workplace. Internet service providers monitor your Web traffic and many Web sites monitor everything that you do while interacting with their site. What does this mean for users working from home? How might an ISPs monitoring activities be a threat to corporations?

The loss of physical boundaries and the proliferation of devices mean that information security professionals need to be more careful about controlling access to resources. They also have to monitor user behavior much more closely than before. Not everyone in the city can be trusted. Vetting Insiders Employees acting maliciously within an organization are often viewed as one of the biggest concerns of information security professionals (remember Edward Snowden and the NSA). Employers try to reduce the risk of rogue employees by conducting thorough background checks before hiring. They conduct interviews, run credit reports, and administer per- sonality surveys. But what happens when a company engages in a collaborative project with another firm? How can team leaders be sure their corporate partners have been evaluated with the same level of scrutiny? In the past, protecting an organization's information systems and data was often equated to protecting a castle. Castles used defenses like moats, large walls, and towers to protect inhabitants from enemies lurking outside their walls. Information security professionals used the castle model as a metaphor to describe how security measures such as fire- walls and intrusion detection systems (IDS) could be used to create a barrier between internal information systems and hackers working to compromise them. However, the castle model is no longer feasible for most organizations. The rapid spread of smartphones, laptops, and other network-enabled devices has completely transformed organiza- tions' network architecture. Physical boundaries are nearly gone. Organizations now have hundreds, and in some cases thousands, of devices (e.g., laptops, tablets, and phones) that are used by employees both inside and outside the company. Employees can use these devices to access corporate servers remotely and store corporate data locally. Information security profes- sionals now use a city model to describe their efforts to secure cor- porate information systems. In the city model, authorized users, as well as visitors, are free to roam the digital city with any device they'd like. But access to individual build- ings, servers, and data is restricted. Users can access resources only if they're authorized. But the city model isn't perfect. If users' devices are compromised, hackers could use them to access remote corporate networks or steal data directly from the device's local hard drive. Trying to secure this type of digital environment is even more challenging when you con- sider the diversity of devices, oper- ating systems, and applications being used. It's a daunting task. Source: Tim Robberts/The Image Bank/Getty Images SECURITY GUIDE Evolving Security 71 The hard truth is that these types of assurances cannot be made in most cases. Granting network access to outside collaborators can pose a considerable threat. A temporary collaborator granted access to an internal network could steal corporate data more easily than a cybercriminal attack- ing it from the outside. In a way, it's similar to trusting your siblings. You may trust your brother or sister, but do you trust their friends? activities can be used to provide a fairly robust picture of employee behavior. They can also be used to identify risk lev- els for each employee within the organization. For example, in a recent study by Paul Taylor at Lan- caster University, researchers found that employees who were planning to act maliciously changed the way they inter- acted with their coworkers. They started to use singular pro- nouns (like I, me, or my) rather than plural pronouns (like us, we, or our). They became more negative, and their language became more nuanced and error-prone. Researchers are also developing new technologies that can be used to monitor and interpret not only what users are typing or clicking on but also how they are typing and how they are moving their mouse. These measurements can then be used for any number of applications, like making sure you are not reusing corporate passwords or identifying stress or anxiety while you are writing an email. By the time you enter the workforce, almost everything you do for your company has the potential to be monitored and analyzed! Employee Monitoring You may be wondering if there is anything employers can do to mitigate the risks of an insider threat or a sketchy corpo- rate partner. Employers are increasingly monitoring Internet usage, tracking GPS information on vehicles and mobile devices, recording keystrokes, monitoring social media activ- ity, and reviewing emails.10 While some of these activities are illegal for employers to conduct in some states, many or all of these activities are permitted in most states. Monitoring QUESTIONS 1. This guide emphasizes how information security strategy has changed over the past two decades due to advance- ments in technology. What do these changes mean for you personally in managing and securing your own per- sonal systems and data? 2. Take a few minutes to conduct an Internet search on insider threats. Besides some of the high-profile cases of employees stealing and selling or distributing corporate data, what other examples can you find? 3. What kinds of collaboration tools have you used to com- plete class assignments and projects? Could these collabo- ration tools pose a risk to you? How? 4. How do you feel about the trend of companies using new technologies to monitor their employees? Would you want to work for a company that uses monitoring tech- nologies? Why or why not? 5. Monitoring digital activity is not exclusive to the work- place. Internet service providers monitor your Web traffic, and many Web sites monitor everything that you do while interacting with their site. What does this mean for users working from home? How might an ISP's monitoring activities be a threat to corporations? The loss of physical boundaries and the proliferation of devices mean that information security professionals need to be more careful about controlling access to resources. They also have to monitor user behavior much more closely than before. Not everyone in the city can be trusted. Vetting Insiders Employees acting maliciously within an organization are often viewed as one of the biggest concerns of information security professionals (remember Edward Snowden and the NSA). Employers try to reduce the risk of rogue employees by conducting thorough background checks before hiring. They conduct interviews, run credit reports, and administer per- sonality surveys. But what happens when a company engages in a collaborative project with another firm? How can team leaders be sure their corporate partners have been evaluated with the same level of scrutiny? In the past, protecting an organization's information systems and data was often equated to protecting a castle. Castles used defenses like moats, large walls, and towers to protect inhabitants from enemies lurking outside their walls. Information security professionals used the castle model as a metaphor to describe how security measures such as fire- walls and intrusion detection systems (IDS) could be used to create a barrier between internal information systems and hackers working to compromise them. However, the castle model is no longer feasible for most organizations. The rapid spread of smartphones, laptops, and other network-enabled devices has completely transformed organiza- tions' network architecture. Physical boundaries are nearly gone. Organizations now have hundreds, and in some cases thousands, of devices (e.g., laptops, tablets, and phones) that are used by employees both inside and outside the company. Employees can use these devices to access corporate servers remotely and store corporate data locally. Information security profes- sionals now use a city model to describe their efforts to secure cor- porate information systems. In the city model, authorized users, as well as visitors, are free to roam the digital city with any device they'd like. But access to individual build- ings, servers, and data is restricted. Users can access resources only if they're authorized. But the city model isn't perfect. If users' devices are compromised, hackers could use them to access remote corporate networks or steal data directly from the device's local hard drive. Trying to secure this type of digital environment is even more challenging when you con- sider the diversity of devices, oper- ating systems, and applications being used. It's a daunting task. Source: Tim Robberts/The Image Bank/Getty Images SECURITY GUIDE Evolving Security 71 The hard truth is that these types of assurances cannot be made in most cases. Granting network access to outside collaborators can pose a considerable threat. A temporary collaborator granted access to an internal network could steal corporate data more easily than a cybercriminal attack- ing it from the outside. In a way, it's similar to trusting your siblings. You may trust your brother or sister, but do you trust their friends? activities can be used to provide a fairly robust picture of employee behavior. They can also be used to identify risk lev- els for each employee within the organization. For example, in a recent study by Paul Taylor at Lan- caster University, researchers found that employees who were planning to act maliciously changed the way they inter- acted with their coworkers. They started to use singular pro- nouns (like I, me, or my) rather than plural pronouns (like us, we, or our). They became more negative, and their language became more nuanced and error-prone. Researchers are also developing new technologies that can be used to monitor and interpret not only what users are typing or clicking on but also how they are typing and how they are moving their mouse. These measurements can then be used for any number of applications, like making sure you are not reusing corporate passwords or identifying stress or anxiety while you are writing an email. By the time you enter the workforce, almost everything you do for your company has the potential to be monitored and analyzed! Employee Monitoring You may be wondering if there is anything employers can do to mitigate the risks of an insider threat or a sketchy corpo- rate partner. Employers are increasingly monitoring Internet usage, tracking GPS information on vehicles and mobile devices, recording keystrokes, monitoring social media activ- ity, and reviewing emails.10 While some of these activities are illegal for employers to conduct in some states, many or all of these activities are permitted in most states. Monitoring QUESTIONS 1. This guide emphasizes how information security strategy has changed over the past two decades due to advance- ments in technology. What do these changes mean for you personally in managing and securing your own per- sonal systems and data? 2. Take a few minutes to conduct an Internet search on insider threats. Besides some of the high-profile cases of employees stealing and selling or distributing corporate data, what other examples can you find? 3. What kinds of collaboration tools have you used to com- plete class assignments and projects? Could these collabo- ration tools pose a risk to you? How? 4. How do you feel about the trend of companies using new technologies to monitor their employees? Would you want to work for a company that uses monitoring tech- nologies? Why or why not? 5. Monitoring digital activity is not exclusive to the work- place. Internet service providers monitor your Web traffic, and many Web sites monitor everything that you do while interacting with their site. What does this mean for users working from home? How might an ISP's monitoring activities be a threat to corporations