elevenM turns five

elevenM turned five this week.

I recall a stat from university that half of all small businesses fail within the first five years. I am not sure if that stat still holds true, but it is something that has stuck in my mind. Maybe that is the reason I felt the need to note this milestone having not done so for any of the previous years. The subconscious works in mysterious ways.

What I would like to do is to take this moment to thank the wonderful Melanie Marks, a better business partner I could not have dreamed, and the energetic and talented the team at elevenM for getting us here.

Lastly, I would like to take this opportunity once again to thank the clients who have supported our business over the past five years. Simply put, without you we have no business. We have not, nor will we, ever take that for granted.

Best regards

Pete

End of year wrap: What the Four Seasons Total Landscaping debacle taught us about privacy and security

It’s been a dumpster fire of a yearand so, for our end-of-year wrap, we looked to the most ridiculously hilarious moment of the year.

Here are five lessons we took from the infamous Four Seasons Total Landscaping debacle: 

Is supplier risk management useless?

 

So here we are again. Another supply chain attack which has led to the compromise of highly sensitive computer networks. Is this the point we draw a line under supplier risk management, put hands up and say ‘too hard’? Alex Stamos, Adjunct professor at Stanford University’s Center for International Security and Cooperation and former chief security officer (CSO) at Facebook seems to think so. In a tweet following the SolarWinds compromise he said,

“Vendor risk management is an invisible, incredibly expensive and mostly useless process as executed by most companies. When decent, it happens too late in procurement.”

For those of you who follow our blogs, you will know that this is a subject we also have strong views on. It is our view that supply chain risk is something companies cannot solve on their own. We were therefore delighted to see statements in the 2020 Australian Cyber Security Strategy that help is on its way:

“The Australian Government will establish a Cyber Security Best Practice Regulation Task Force to work with businesses and international partners to consider options for better protecting customers by ensuring cyber security is built into digital products, services and supply chains.”

What this Task Force looks like outside of the conceptual, we will need to wait and see. Given recent events however, we at elevenM hope whatever the action is, that it gets delivered sooner rather than later.

What non-mask wearers teach us about security awareness

elevenM Principal Arjun Ramachandran explores why observance of coronavirus restrictions and advice varies across countries and societies, and the potential lessons for those in the game of persuading people to adopt good security behaviours.  


“Wear a mask”. “Practice social distancing”. “Isolate”.

Clear, consistent, universal.

But cast your eyes from country to country, even community to community, and you see incredible variance in how the advice sticks.

The management of COVID-19 in the community highlights a core challenge in how companies cultivate positive security and privacy behaviours among their people. Clear guidance and engaging messages alone don’t always get the job done.

As public health practitioners have learned through the pandemic, and as those of us engaged in security and privacy persuasion must recognise, we work in a broader context.

The fingerprints of culture are evident in how different societies are responding to coronavirus guidelines and restrictions. Values like individualism, community, mutual obligation, respect for the elderly and deference to authority – and the extent to which they dominate a culture – clearly influence how communities behave, and how they will respond to advice and guidance.

“Maybe we’ll change our culture so that it’s not expected or brave of you to go to work sick. Maybe we’ll start to protect each other the way Asian cultures do. It’s pretty normal in Asian societies to wear a mask when you’re sick when you go out in public and to stay home if you can. We are the exact opposite. We wear masks to protect ourselves and we feel free to show up at a meeting when we have a fever.”
VICE

Sure – when you’re trying to inculcate good security or privacy practices, repeatedly broadcasting actionable advice will get these messages onto the radar of employees. Heck, if you’re clever enough to make the advice funny or entertaining, it might even go viral! You’ll have smashed a bunch of internal engagement metrics and hit some awareness goals.

But as with “Wear a mask!”, lack of awareness isn’t always the barrier. People can know what to do and still act contrarily. Or, they might follow the rules, but only in circumstances where compliance is monitored or defined.

If we want go beyond compliance, and if we want behaviours to be both lasting and self-applied across contexts, then our goal must be for employees to internalise and identify with those desirable behaviours.

That’s why we encourage organisations embarking on security or privacy education activities to look at shaping culture as a vital complement (if not a precursor) to their education and awareness activities.

Culture is ultimately an expression of shared values and beliefs expressed through collective behaviours and practices.

Research tells us that values, more specifically an alignment of values, creates conditions for people to internalise behaviours.

Yet while organisations abound in discrete bits of security advice (“don’t click this, make sure you do that”), the values underpinning the desired security and privacy behaviours are often never defined or articulated with employees. It could be as simple as revisiting the company’s existing set of corporate values and expressing how security or privacy are integral to that value set.

For staff to identify with values and desired behaviours, they will also expect to see them being exhibited and advocated by those they admire or respect. This is where an organisation’s high-profile security champions can play a role, and where its most senior leaders have a responsibility.

For more on security culture, check out our recent work.

Towards a trustworthy COVIDSafe app

elevenM Principal Melanie Marks has joined other leading privacy experts in a submission to the Australian Government on what is required of new federal legislation that will govern the new COVIDSafe app. 


The COVIDSafe app has been introduced at an unprecedented moment and a time of national urgency. To ensure we garner the level of community trust necessary for the app to succeed, we also need unprecedented and urgent legislation that ensures the right privacy safeguards are in place.

This is the essence of a submission made to the Attorney General’s Department by Australia’s leading privacy thinkers.

The submission –  led by Peter Leonard (Principal, Data Synergies) and taking input from leading privacy practitioners including elevenM’s Melanie Marks – warns of a “backdoor” that could lead to leakage of data belonging to users of the COVIDSafe app, if new federal legislation governing the app is introduced without sufficient safeguards and coverage.

The paper lays out a series of suggestions to achieve the ultimate objective of ensuring the COVIDSafe app is safe for all citizens to use for its stated purpose of contact tracing.

State and Territory agencies – who will ultimately handle user data from the app – are currently not regulated by the Privacy Act. While the app states that a user’s data – which includes a log of other users of the app they have come in contact with – will only be used for contact tracing by State or Territory officials, the paper notes that enforcement of this currently relies merely on “agreement” and reassurances of “good intent”.

It argues for “legislated assurance” that the data won’t be potentially available to other government agencies, law enforcement and so on.

The paper recommends stronger safeguards and controls to ensure handling of COVIDSafe data by agencies is separated from other operations. It also calls for oversight of the legislation by a commissioner or ombudsman, and the encryption of all COVIDsafe app data in transit and at rest.

Read the full paper here.

Four principles for contact tracing technology

elevenM Principal Melanie Marks takes a closer look at proposals to use digital technology to support contact tracing, as governments seek better ways to manage the COVID-19 pandemic.


With reports that Australia may follow in Singapore’s footsteps to build a tracking and tracing app which allows governments and citizens to get ahead of the COVID-19 pandemic, we must ensure that innovation and laws are channeled towards the “right” intended outcomes.

The benefits of introducing greater data sharing at a time of crisis are obvious. However, there are also risks, so it’s critical we proceed in a considered way.

For me the key principles are:

  1. Do what you can to save lives.
  2. There shall be no scope creep.
  3. Permissions shall be wound back when the crisis passes.
  4. Post implementation review is essential (covering law and processes).

We need to build for the short term or at least for a series of stages, featuring “gates” where civil liberties are checked before continuing. And we need guarantees that new architectures being introduced will not be put to secondary purposes. For example, whilst we might consider it okay to trace the movements of a COVID-19 affected patient in order to prevent exposure to others (primary purpose), we should not accept that the tracing can be used to identify how far a person strays from home, in order to hit them with a fine (secondary purpose). This is especially so if we consider that channels of procedural fairness may be harder to access in the circumstances (Robodebt comes to mind).

I had a chance to discuss these ideas recently with Jeremy Kirk, together with Patrick Fair and Susan Bennett, in an article published in DataBreachToday. Click here to read more.