Publishing information is a form of communication, and as Osmo A. Wiio said in his first law of communication: “Communication usually fails, except by chance.”
When I began working as an information security specialist, there was a data breach, which I wrote an article about for our intranet. It only took about an hour before a journalist from a local newspaper called our IT Director with a juicy headline in mind: “Massive data breach on campus”.
My article was not open enough – it left some things to the imagination. In the end, the case was not newsworthy, but I learned to communicate more openly and understand that the internal communication channels in large organisations are, for all practical purposes, public.
It is better to be thoughtfully open than passively silent.
Let us consider the importance of open information for an organisation’s operations.
One good example related to safety is the provision of up-to-date information to consumers about expected repair times in the event of a power cut or a planned power outage. Both provide users and, depending on the transmission grid where the outage occurs, other actors with information relevant to their safety or feeling of safety and give the organisation an opportunity to concentrate on handling the outage effectively.
One bad example related to continuity is allowing all types of photography in the automation control room. In production environments based on recipes, the most important information to protect – the recipe – can be copied from a photograph of an automation screen. If a visitor takes a photo on their mobile phone and shares it on social media, it could enable low-cost production in foreign countries and jeopardise businesses and jobs.
Before information is shared, it should be assessed in terms of the advantages and disadvantages, for example, in the following way. By default, information should be confidential, and it should always be
a conscious decision to reclassify information as public or secret.
Open: The organisation benefits from sharing the information.
Internal: The organisation does not benefit if the information spreads outside the organisation.
Confidential: The dissemination of the information causes harm to the organisation, its customers, suppliers or employees.
Secret: The dissemination of the information causes severe harm to the organisation, its customers, suppliers or employees.
Open publication of information is a conscious step in the management of business continuity and security. The information vacuum always seeks to be filled, irrespective of the organisation, so it is better to be thoughtfully open than passively silent.
Jari Seppälä is an information security specialist in automation who has safeguarded critical infrastructure for the security of supply in cooperation with parties in the energy sector since 1999.
