Blogging on corporate laptops 'security risk'

Employees may think it's no big deal to do some blogging on a company laptop from home or the airport. But one security expert says the practice poses some serious risks.

When employees fire up their company-issued mobile devices at home or at the airport, they often use the technology for both business and personal pursuits like blogging. According to one industry expert, it's a very dangerous trend.
Many people blog from work and mobile platforms and that's very bad ... Blogs are one of the bad guys' tools.
Don Ulsch,
risk management director,Jefferson Wells International Inc.

Such activities illustrate how important it is for companies to keep close tabs on what their workers are doing on corporate devices, Don Ulsch, technology risk management director in the Boston office of Jefferson Wells International , told security executives during a lunchtime presentation on emerging threats on 9 .

"Many people blog from work and mobile platforms and that's very bad," he said. "Blogs are one of the bad guys' tools."

He noted there are approximately 100 million blogs across cyberspace and many of them are used by organised criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages, he said.

"They can analyse millions of messages and use what they find -- trade secrets, for example -- for hostile purposes," he said.

Understanding the insider threat:
DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says.

Five common insider threats and how to mitigate them:  Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain, be it accidentally or intentionally. This tip explains five common insider threats and offers ways to address them.

Insider Risk Management Guide: Audit: This article explores the audit function in the insider risk management process.

Over time, he said, online thieves can take seemingly unimportant details from those blog messages and piece them together in a way that allows them to see the big picture of what a company may be up to.

Ulsch said companies need to start taking the blogging phenomenon more seriously from a security perspective, and that a good starting point is to put a blog restriction policy in place.

"Employees must be told they can't use work email extensions for activities like this," he said. "If they have to blog, make them use an alias email address, communicate the risks and monitor for compliance."

Ulsch used the recent DuPont case as an example of what can happen when companies don't pay attention to what their employees are doing.

In that case, former DuPont senior chemist Gary Min stole approximately $400 million worth of information from the company and attempted to leak it to a third party.

Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI. He eventually pleaded guilty to the crime and he is expected to be sentenced soon. He faces up to a decade in prison and a $250,000 fine.

"He was doing things DuPont should have seen as red flags, like downloading 22,000 abstracts and documents from the secure DuPont database," Ulsch said. "He was doing this 15 to 20 hours at a time. Had the company better understood the trust but verify concept, this might not have happened."

Ulsch said the proliferation of mobile technology among employees is increasing the likelihood that something bad will happen to the companies they work for. The bad guys are more likely to exploit employee activities like blogging to get at company secrets, and more data breaches are likely to result from the loss or theft of mobile devices.

"You're looking at a greater distribution of targeted information and there isn't as much monitoring of mobile devices because it's a lot more difficult than monitoring office-based PCs and servers," he said. "People are also less likely to observe company security policies and procedures when they're outside the office, and it's more difficult for employees to observe risky behavior among their colleagues when they're not there."

Read more on IT risk management