Continuing on in my theme of security, I recently asked myself the question "If you reveal to someone some information and ask them not to share it, and then that information later on leaks, whose fault is it?"
Let me give you a specific example I am thinking of. A company invites all of its employees to a meeting and gives them a sneak preview of products that will soon be released. "But," they say "don’t tell anyone about this or blog about it/write about it/talk to the press because we are waiting to reveal it at our big launch event in a few weeks. So, keep this to yourselves."
Well, the next day, the PR rep gets a call notifying them that the secret product was leaked to the media via some channel (maybe a blog comment). The PR department tracks down who was responsible and asks them a few questions like what they were thinking when they blabbed about the product after being specifically asked not to. Note to readers: I do not speak from experience, this is a hypothetical scenario.
My question is this – whose fault is this? While the employee in question certainly did something stupid by going against the specific requests of the company, quite frankly, if you have information that you don’t want disseminated, then don’t reveal it in the first place. This is particularly true when you can’t control or influence the actions of those you reveal that information to. If it really is a secret, then treat it like that – a secret. Once the cat is let out of the bag, it’s not going to go back inside (most cats don’t like going into bags).
If you have employees at work who shut off their antivirus and their computer gets infected, then maybe you should create a policy to make it very difficult, though not impossible, to shut it off (sometimes there are legit cases when you want to do this). If you have a product that you don’t want the press to know about, then don’t tell all of your employees what it is and then ask them not share it.
Information leaks; revealing that information and telling thousands of people not to distribute it reminds me of that one episode of the Simpsons. Marge says to Homer "Now Homer, don’t you eat this pie!" Homer says "Okay…" and after Marge walks out he says "… but I am going to start chomping my mouth. And if the pie gets eaten, it is its own fault!" The pie, of course, gets eaten.
My point is that if you can reasonably predict what will happen if you reveal information, namely that it will get out, and you still choose to reveal that information, you are not absolved of all responsibility.