As well as helping to minimise the chances of data theft
and the ensuing bad publicity, information security professionals
have a moreproactive rolein helping to protect
their organisations in the 21st century, writes Paul Maloney,
managing director of Technology Management and
Consultancy.
This is most apparent in the increased use of
social networking. It has already been reported that teenagers
may become almost unemployable in the future because of their
online profiles, but the most important role of information
security is the analysis and management of an organisation's social
network footprint.
Before you meet someone for the first time, there is an
increasing tendency to
Google them and their company. What you discover can
significantly alter how you treat them.
An organisation's
social network footprint comprises not only what the search
engine knows about the company, but also what it knows about the
employees and directors. Taking a forensic analysis approach, the
information security department can search online and create a
profile of the organisation to understand where it is
exposed.
So what kind of information can be discovered through this type
of search? As well as company news and history, there might be
information about employees' personal details, hobbies and social
circles, all useful for social engineering attacks. Worst-case
information discovered may include office gossip, personal attacks
on customers or rants about conditions at the company.
This type of search should be carried out in a structured,
controlled and detached way because during the search there is a
chance personal information about individuals may be revealed that
leaves them open to discrimination or ridicule if their office
found out. There may be some argument that being on the internet it
is in the public domain, but it is not the organisation's
responsibility to reveal such information to other employees. With
many people sharing the same name, it may be safe to ignore
information that cannot be linked back to the organisation.
Managing your social network footprint relies on
policies, procedures and, most importantly, user training and
guidance. Employees must know what is expected of them when posting
information online, whether on their website, blog or Facebook, and
what impact it could have on both their organisation and
themselves. Disciplinary action should not be the first response
employees see.
A good example of how the internet has changed the way employees
can disseminate information is to compare a Christmas party in 1988
with one now. In 1988, if an employee wanted to send photos to
everyone, they would have to pay for processing. If they had wanted
to let the world know about the indiscretions of a director, they
would have had to convince a newspaper to print the article, and if
they'd wanted to fake a photo of an imagined indiscretion, they
would need some expensive equipment. Now all this can be done from
their home computer in about 15 minutes.
Both existing and former employees have tools, resources and the
time to heavily affect the reputation of an organisation and its
customers in the modern world and it is the job of information
security to protect that reputation with strong policies, proactive
searching and advising on suitable responses.