As well as helping to minimise the chances of data theft and the ensuing bad publicity, information security professionals have a more proactive role in helping to protect their organisations in the 21st century, writes Paul Maloney, managing director of Technology Management and Consultancy.
This is most apparent in the increased use of social networking. It has already been reported that teenagers may become almost unemployable in the future because of their online profiles, but the most important role of information security is the analysis and management of an organisation's social network footprint.
Before you meet someone for the first time, there is an increasing tendency to Google them and their company. What you discover can significantly alter how you treat them.
An organisation's social network footprint comprises not only what the search engine knows about the company, but also what it knows about the employees and directors. Taking a forensic analysis approach, the information security department can search online and create a profile of the organisation to understand where it is exposed.
So what kind of information can be discovered through this type of search? As well as company news and history, there might be information about employees' personal details, hobbies and social circles, all useful for social engineering attacks. Worst-case information discovered may include office gossip, personal attacks on customers or rants about conditions at the company.
This type of search should be carried out in a structured, controlled and detached way because during the search there is a chance personal information about individuals may be revealed that leaves them open to discrimination or ridicule if their office found out. There may be some argument that being on the internet it is in the public domain, but it is not the organisation's responsibility to reveal such information to other employees. With many people sharing the same name, it may be safe to ignore information that cannot be linked back to the organisation.
Managing your social network footprint relies on policies, procedures and, most importantly, user training and guidance. Employees must know what is expected of them when posting information online, whether on their website, blog or Facebook, and what impact it could have on both their organisation and themselves. Disciplinary action should not be the first response employees see.
A good example of how the internet has changed the way employees can disseminate information is to compare a Christmas party in 1988 with one now. In 1988, if an employee wanted to send photos to everyone, they would have to pay for processing. If they had wanted to let the world know about the indiscretions of a director, they would have had to convince a newspaper to print the article, and if they'd wanted to fake a photo of an imagined indiscretion, they would need some expensive equipment. Now all this can be done from their home computer in about 15 minutes.
Both existing and former employees have tools, resources and the time to heavily affect the reputation of an organisation and its customers in the modern world and it is the job of information security to protect that reputation with strong policies, proactive searching and advising on suitable responses.