The Reality – Simple Risk Case
The frame for this post is based on discussions taking place through LinkedIn. Recently, LinkedIn made a change where I have become more visible to new communities of people. As a result, I have seen a significant uptick in requests for people to connect and talk.
While I can’t address them all, I am writing based on some themes and shared interests. One of the current issues facing us that I believe is critically important to organizations is the increased risk of feature and function changes within the current digital workload and capability set. (Adjacent Feature and Function Risk)
What this means is that all the protections a company puts into place by building requirements, working with legal, cyber, privacy, and compliance teams is at a new level of risk beyond anything we have seen in our time. As this has come up a number of times in conversation, I think it is important to just point out a few threads. Regardless of your perspective, it is something to explore with your organization.
To keep this very basic, I’ll use one example with no integrations and basic software through normal corporate or organizational workloads.
The Microsoft operating system and M365 platform offer organizations continuous opportunities through constant changes in their software. Some of the features are simple enhancements to current capabilities but others offer adjacent opportunities for users that companies simply aren’t aware of. At the speed in which these changes come down and the pressure to roll out the new services, these get lost or missed. In defense of Microsoft, I can argue that “we” the community asked for this. At the same time, trying to manage Microsoft changes in an organization is like catching those tiny little pieces of dust we see floating around in the sunlight. We are mostly blind to the changes unless something gets our attention or we were consistently sensitive to this in the first place.
Let’s be practical here.
If you are reading this right now and you are working on an up to date Windows 10 machine push these buttons. The Windows key, the Alt key, and the letter G at the same time. There is a chance that the Game Bar came up for Xbox. If it did, and you are on a corporate machine, the next question to consider is “What is the recording policy for your company?” If the answer is, that you shouldn’t have the ability to record from a policy perspective, it’s a miss somewhere.
Now, let’s say for a moment here that your corporate build team is “best in class” and I can tell you there are many professionals out there that have their stuff together. They would have to know explicitly that it would be required to be shut off.
Let’s move on to something a little less obvious. If you have OneNote on your computer, you can record video. If the quality of the audio is high enough (which these days it is) you can get the audio transcribed. If you are using the newer M365 office click to run, you can record your screen and video conversations. Want to know how?
Open PowerPoint – create a blank presentation – click insert – click screen recording. You can change the input settings for your audio card to capture internal audio and capture conversations. Beyond this, you can transcribe it, translate it to other languages as well. These services are great! At the same time, I am willing to bet that some folks in your organization would be shocked at what you can do with a little up to date knowledge.
This is a very simple example. These features are also becoming more readily available without a desktop thick client. This means that as Microsoft becomes more integrated with delivering services through browsers, the features have to be turned off from other places outside of the desktop and laptop controls.
Microsoft has a “default on” approach, meaning that many of their services just get turned on whenever they become available. Essentially, you need a team of people managing this to include technical, policy, process, change, cyber, compliance, and finance. There is a very good chance unless you are in a defense organization, you company or organization doesn’t have a team like this looking at these together.
The risks are very high and while I am by example talking about Microsoft, I am not picking on them. Most service providers are doing the same thing. It reminds me of when I was working at a school division some years ago. We would work through the software configuration in great detail and literally look at all of the features and functions to protect the children and teachers but the kids were always ahead of us. They always found ways to exploit code inside the software. This is the key factor to understand the associated risks today. Adjacent feature and function risks are probably one of the most overlooked issues in organizations today.
Something to think about…
Challenge and explore on your own, check it out .. ask questions …
What do you think?