Oh no, I hear you say. Another exhortation from someone in IT about how I should not write passwords down/have unique ones/not click on dubious emails. Not so fast! It's actually to make the point that the risk picture for information is much more nuanced than IT would have you believe.
Notice that I use the word information, not the acronym IT: they are two different things. For a start, most security policies start and stop at the frontiers of the technology: how many businesses properly have controls on what papers can be carried out of the office? In many ways, more dangerous - they can be read without a password and cannot be remote-wiped. Secondly, mistaking IT for information means that businesses have outsourced the management of their information to computer people, who (typically) prefer the binary of the motherboard to the ambiguities of real life. Thus they have built networks of technology into The Network, centered around the needs of those who manage that Network, not those for whom technology is supposed to serve. Everything becomes deliciously un-nuanced: things are either On the Network or Off It, trusted or not. The only risk becomes one of penetration. Simples.
Except it's not in the real world. Even before this COVID emergency, being in a different place from The Network was not exactly unheard-of: salespeople on the road, and the awkward presence of business partners in a value chain that did not sit inside a Network. Still, configure a VPN and offer people the chance to get their emails on their phone should do the trick. Er no. A Network makes the mundane internal communication easy, the valuable inter-company connection really difficult.
The point I am trying to make is that there are more risks to information than just penetration. If you put the word information in front of the word security you typically mean the challenge of preventing unauthorised access to that information: if you put the word energy in front instead you are often talking about the challenge of maintaining supply. And it is this risk of non-supply of information that is the one suddenly confronting businesses as they realise that, for all their trumpeting about twenty-first digitisation, they are really no less dependent on the analogue infrastructure of the office than their nineteenth century counterparts, whizzing internal memos about through compressed air tubes.
Ironically it is those businesses most obsessed with the first risk of penetration that have made themselves most vulnerable to the second: IT bods have obsessed themselves with the "risk" of putting stuff in the cloud. It is now obvious that it has been hugely risky not to. The risks of confidentiality in the cloud can be managed: the absence of a proper network (with a small n) of information outside the office cannot be fixed with the sticking plasters of a VPN and a hurried subscription to Zoom.
When (I hope) things return to a more normal footing, and after thanking the IT department for their heroics in working all hours to apply emergency measures, perhaps a question or two needs to be addressed to the IT headshed as to why the business was so vulnerable in the first place to risks that were obvious (and mitigatable) way back in the SARS emergency of 2003.