When employees fire up their company-issued mobile devices at home
or at the airport, they often use the technology for both business
and personal pursuits like
blogging. According to one industry expert, it's a very
dangerous trend.
 | | | | | Many people blog from work and
mobile platforms and that's very bad ... Blogs are one of the bad
guys' tools.
Don Ulsch,
risk management director,Jefferson Wells International
Inc. |
| | | | | |
| |
|
Such activities illustrate how important it is for companies to
keep close tabs on what their workers are doing on corporate
devices, Don Ulsch, technology risk management director in the
Boston office of Jefferson Wells International , told security
executives during a lunchtime presentation on emerging threats on 9
.
"Many people blog from work and mobile platforms and that's very
bad," he said. "Blogs are one of the bad guys' tools."
He noted there are approximately 100 million blogs across
cyberspace and many of them are used by organised criminal outfits
to push gambling and pornography. When an employee does personal
blogging on a company machine and corporate email account, blog
databases are able to suck in a wealth of email data. Digital
miscreants can then use sophisticated data mining software to scan
the blogs for proprietary information that may be sitting in some
of those stored messages, he said.
"They can analyse millions of messages and use what they find --
trade secrets, for example -- for hostile purposes," he said.
 |
| Understanding the insider threat: | DuPont case highlights insider threat: A
former DuPont scientist who admitted trying to steal $400
million worth of information illustrates the seriousness of
insider threats, a security expert says.
Five common insider threats and how to mitigate
them: Users can be an enterprise's best defense or its
worst enemy. They have access to valuable network resources and
information that can be used for ill-gain, be it accidentally or
intentionally. This tip explains five common insider threats and
offers ways to address them.
Insider Risk Management Guide: Audit: This
article explores the audit function in the insider risk
management
process. |
|
| |
|
Over time, he said, online thieves can take seemingly
unimportant details from those blog messages and piece them
together in a way that allows them to see the big picture of what a
company may be up to.
Ulsch said companies need to start taking the blogging
phenomenon more seriously from a security perspective, and that a
good starting point is to put a blog restriction policy in
place.
"Employees must be told they can't use work email extensions for
activities like this," he said. "If they have to blog, make them
use an alias email address, communicate the risks and monitor for
compliance."
Ulsch used the recent DuPont case as an example of what can
happen when companies don't pay attention to what their employees
are doing.
In that case,
former DuPont senior chemist Gary Min stole
approximately $400 million worth of information from the company
and attempted to leak it to a third party.
Min joined DuPont in 1995 but began exploring a new job
opportunity in Asia in 2005 with Victrex, a DuPont competitor.
Shortly after opening the dialog with Victrex, Min reportedly
proceeded to download approximately 22,000 abstracts from DuPont's
data library and accessed about 16,700 documents. After Min gave
his notice, DuPont discovered what he was up to and brought in the
FBI. He eventually pleaded guilty to the crime and he is expected
to be sentenced soon. He faces up to a decade in prison and a
$250,000 fine.
"He was doing things DuPont should have seen as red flags, like
downloading 22,000 abstracts and documents from the secure DuPont
database," Ulsch said. "He was doing this 15 to 20 hours at a time.
Had the company better understood the trust but verify concept,
this might not have happened."
Ulsch said the proliferation of mobile technology among
employees is increasing the likelihood that something bad will
happen to the companies they work for. The bad guys are more likely
to exploit employee activities like blogging to get at company
secrets, and more data breaches are likely to result from the loss
or theft of mobile devices.
"You're looking at a greater distribution of targeted
information and there isn't as much monitoring of mobile devices
because it's a lot more difficult than monitoring office-based PCs
and servers," he said. "People are also less likely to observe
company security policies and procedures when they're outside the
office, and it's more difficult for employees to observe risky
behavior among their colleagues when they're not there."