Has Your Boss Told You To Update Firefox Yet?

If you work for a news organization, have you gotten an urgent e-mail from your CISO instructing you to update Firefox?

If not, why not?

If you’re a journalist, and the answer to my first question is “no,” then you need to put your journalistic skills to use and ask your company’s digital / information security team why the heck not?

I surveyed a few journalists informally today; none had any idea that Firefox had discovered a very seriously vulnerability, one that is currently being exploited by hackers. I reason that they are busy covering things like impeachment, the presidential race, tensions with Iran, an airline that might have been shot down — stuff like that. They don’t have the mental bandwidth to make daily adjustments to their security posture. But CISOs do.

Another, uncomfortable question here arises.

Should a journalist’s digital security practices be evaluated by managers? I would object strenuously if an editor had suddenly asked to see my phone and see whether I was using a VPN or had accidentally backed up my WhatsApp to the cloud. But the better argument rests on the fact that my digital security routine directly effects the safety posture of my entire news enterprise. If we use Firefox and I update it, and my colleague doesn’t, and some hacker users her browsing to obtain credentials that tunnel into our shared workspace, then her personal practices very much become a communal concern.

Just how news managers might go about doing this I don’t know. It’s worth thinking through.

NB: I will be writing more about the Annenberg Digital Security Initiative in the coming weeks. Here is a preview.