Pervasive social networking may herald the future’s most critical insider threat: cyber-chattiness.
Individuals are simply revealing too much about their professional lives online. It might be possible, for example, to cross reference a Facebook post about a “big project that isn’t looking good” with other posts and piece together sensitive corporate information. And while a LinkedIn request for a job recommendation reveals a job seeker, two or more seekers in the same division could reveal company upheaval.
The threat from chatty insiders isn’t new, but a perfect storm might be brewing. Consider the following:
– People are broadcasting more of their lives online than ever before. More than 55 million status updates are posted every day on Facebook alone.
– A new batch of “Open Source Intelligence” tools now exist to help map out people’s lives and relationships.
– Lots of personal and business data online makes it easy for a hacker to personalize phishing attacks and in some cases, automate the personalization process. Tools and frameworks now exist to gather enough information about you online to custom craft emails that are very credible.
– Setting policies to stop employees from using these social networking sites at work doesn’t stop them from talking about work when online at home.
We are now starting to see some privacy stretch marks on the social networking bubble. Consider the case of Robert Morgan. Earlier this year Robert, a researcher at Microsoft Corp. (NASDAQ: MSFT), updated his LinkedIn profile with details about his work on Windows 8 and its new 128-bit architecture. The problem was that Microsoft had never disclosed it was working on a 128-bit version of Windows (let alone working on Windows 8 or 9). This was a direct disclosure snafu made worse by the fact that anyone with an Internet connection could see it.
And we can presume we will see many more incidents like this.
Another component to think about is the permanence of online conversations. A casual corporate disclosure to a friend over cappuccinos may go unnoticed — people eavesdropping around you don’t have any context for the information like who you work for or what your position is. In contrast, there’s likely to be a record of everything you’ve posted on your Facebook wall or Twitter stream which could be mined to find information.
Beyond direct disclosures, companies need to think about the indirect disclosures employees make; puzzle pieces that can be assembled to reveal something very sensitive about a company or group. As we move into 2010 one key question will be how to balance corporate confidentiality with the rapid increase in information sharing through social networks. This is a challenge that cannot fully be addressed through the normal corporate channels of setting policy.
Something as simple as “don’t talk about work online” is nebulous. Does a status update on Facebook that you’re in Bentonville, Arkansas, cross the line? Most people wouldn’t think so, but the fact that your company is doing business with Wal-Mart (one of the only companies headquartered in Bentonville) matters.
For some job roles, using social networking sites to blur business and personal information has become a critical success factor. For example, it’s hard to get by in sales without leveraging LinkedIn. This means there is a new responsibility for companies to educate their employees on the risks of overexposure. Most people don’t want to be the cause of a corporate PR disaster. Without understanding the risks though, it’s easy for good people to make bad choices. Just ask Robert Morgan.
Herbert Thompson is program committee chair and advisory board member for the RSA Conference.