• United States




What does the collaborative economy mean for information security?

Mar 09, 20157 mins
IT Leadership

Most employers allow their staff reasonable use of office products such as telephones, copy machines, coffee and the like. For the most part, employees won’t be using the copy machines to compete with Kinko’s or a company car to compete with black car limousine services. Well, at least not until now.

But what if the dynamic changed such that employees could use corporate and office items for their personal profit? Most firms have never thought about the concept and certainly have no processes in place to deal with it. But that’s something CIOs and CISOs should think about in 2015, as the collaborative economy will be changing that dynamic.

Additionally, employees and employers can use these same technologies and models to make their own businesses efficient. Imagine your employees efficiently sharing rides, desks, equipment, and remote work locations to be more effective in their jobs. On-demand rides, lower cost Airbnbs and shared co-working spaces all offer opportunity for the progressive employer.

[ The cybercrime economy personified ]

The term collaborative economy has been bandied about a lot lately and means a lot of different things to different people. A collaborative economy is based on the premise that some things are better shared. The collaborative economy where consumers are given the convenience to these shared goods.

Jeremiah Owyang is the founder of Crowd Companies, an early firm in the collaborative economy space. He defines it as “an economic movement where common technologies empower people to get what they need from each other”. For example, this includes homes, cars, services, and even money. As a result, the crowd gets what they need from each other, disrupting traditional middlemen and inefficient institutions.

There are a number of definitions, but whichever one you use, the security and privacy issues must be considered. Ignore them and you can place your firm at risk.

So how big is the collaborative economy space? The first version of the Collaborative Economy Honeycomb was organized into six discrete families (goods, services, space, etc.) and 14 sub-classes. Honeycomb 2 now has 12 families, including a hex focused on corporate solutions for employers.

Also, check out the Mesh Directory for a listing of nearly 10,000 collaborative economy startups, and this list is constantly growing.

Finally, it’s crucial to realize that the collaborative economy is big. Nearly half a million people use Airbnb daily. Its valuation is $13 billion, almost half that of the nearly century old Hilton Worldwide chain. Uber is valued at over $41 billion, making it larger than most airlines.

The collaborative economy is still in a new and somewhat disruptive phase. It’s so new that many cities have no idea how to deal with it. For example, some cities have tried to stop Uber under the premise it is illegal. In some cities, it’s against the law to act like a business if you’re not one. But what about the single employee?

Lisa Gansky is the author of The Mesh: Why the Future of Business Is Sharing Hardcover, a manifesto of the collaborative economy. She writes that fundamentally, the Mesh (another term for the collaborative economy) is based on network-enabled sharing – on access – rather than on ownership. The central strategy is, in effect, to sell the same product multiple times; something Airbnb, Lending Club, Netflix and ZipCar has done. Multiple sales multiply profits and customer contacts. Multiple contacts multiply opportunity for additional sales, for strengthening a brand, for improving a competitive service, and for deepening and extending the relationship with the customer.

Gansky also noted that 2010 was the first time that more people lived in urban areas than in rural areas. More people in tighter spaces invites sharing and collaboration. Similarly, from a technology perspective, everything is getting smaller, cheaper and more powerful.

In natural systems, waste is never wasted. In nature, waste from one system is food for another. The challenge in business is how to retrieve value from waste of all types, such as idle cars or equipment. It’s finding valued products (or their composite materials), that can be repaired or mined rather than earmarked for the dump. The Mesh invites and enables the recovery of that waste as value.

Using sophisticated information systems, the Mesh also deploys physical assets more efficiently. Not always and not for everything, these networks or platforms that manage shared transactions has the growing capacity to soar past a company that sells something once to one owner. Everyone reaps the rewards of dramatically improved service and choice at a lower personal and planetary cost.

Collaborative economy and information security

So what does the collaborative economy have to do with information security and risk? A lot.

There are numerous security questions in the collaborative economy if everyone’s sharing goods, space time and money.

Your workers can now take idle systems, be it in IT, facilities, servers, hotel rooms, office space, you name it and rent it out. CFO out on vacation for the week, office space sold.

However, now that many are sharing space, time, cars, goods and money, how will we provide a secure and safe environment?

Even with the security risks, it’s important to note that there are many benefits to the enterprise in the collaborative economy. Employees can share corporate cars, assets and more. This has opportunity as much as it has risk. The challenge is finding the balance.

Action items

Here are some things to do:

  1. Don’t hire people you don’t trust. If you can’t trust them, don’t hire them.
  2. Understand what the collaborative economy means to your firm. Determine how much of a risk it may pose.
  3. Update policies – make it explicit what employees can/can’t do with corporate assets. It’s best to use a carrot and stick approach. Let them know what’s OK, but don’t be overly heavy-handed such that it will alienate your best workers. Engage the team in the dialogue and make it a two-way conversation about ‘shared assets’.
  4. Get legal counsel involved – your firm may have legal liability if you don’t have specific policies. There can be significant liability if a corporate asset is shared, rented or borrowed, and then used and creates damage. In addition, in some municipalities, the actions may be illegal. The last thing you want is your employees engaging in criminal activities.
  5. Work locations – Jeremiah Owyang noted that many employees may now use or co-use working spots; sometimes with, but often without, corporate IT approval. This may have exposed Wi-Fi networks just as coffee shops do and hotel lobbies. If this is the case, ensure appropriate security controls are in place.
  6. Tighten the network – but realize that employees with smartphones don’t need the corporate network.
  7. If it moves, put a number and a sensor on it – be it a server, storage array, power supply, monitor, keyboard or anything that moves; ensure it’s tagged, and you have a policy prohibiting users from any non-business use. Let people know the item and their usage is being tracked. One of the mantras of the new economy is access trumps ownership. If they can access it, it doesn’t matter who owns it. The collaborative economy is about harnessing idle capacity. If you have idle items, they will be harnessed.
  8. Review insurance coverage – especially for firms that have vehicles. Let the drivers know that they have no pass, outside of approved use for the vehicles. And if they do violate the policy, they are not covered by the corporate vehicle insurance plan; they are on their own.


The collaborative economy is growing quickly and unless something unexpected happens, it won’t be stopping anytime soon.

As a security professional, keep that in mind.

Ben Rothke CISSP is a Senior eGRC Consultant with Nettitude, Inc. and the author of Computer Security: 20 Things Every Employee Should Know.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author