After learning its SecurID authentication product had been accessed by outsiders, security vendor RSA shut down certain social media traffic for several months in 2011 as investigators tracked the origin back to an email.
Information gathered to target the recipient was provided freely over social networking sites, what Branden Williams, RSA's CTO of marketing, calls “big data mining” by organized bad guys.
“When I look to where the workforce is beaconing sensitive information to criminals and malware, I look to places like Twitter and LinkedIn,” says Williams.
“We're living in a world where our entire emerging workforce has grown up online and has been engineered to overshare. Big data miners have taken notice.”
Not only are employees (current and former), partners and contractors beaconing information that can be used in targeted attacks, they also spread product and other intellectual property (IP) over these and many other mediums, such as their online résumés, in blogs, email, Skype, instant and SMS messaging, through misconfigured systems, even search engines, say experts.
Unfortunately, data governance and protections are lacking across most of these channels and mediums. According to an October 2011 survey conducted by the Association of Image and Information Management (AIIM), 65 percent of respondents who had Web 2.0 collaborative environments lacked such controls.
“It used to be that all forms of public communication had to go through sign-off,” says Doug Miles, director of market intelligence for AIIM.
“Social media, on the other hand, is all about openness and sharing. With one click, the user bypasses all the old controls of brand management, public relations and other approvals, and they're posting who knows what about their organizations.”
Most professionals assigned blogging, Twitter and other communications on behalf of their companies usually go through these checkpoints. Like Williams, they also attend brand/data protection and security training.
Since the SecurID breach, RSA has strengthened the social media components in every employee's information security training.
Policy should help employees recognize and protect sensitive information, which often varies depending on the medium, Williams says.
For example, it might not even be one's own employees committing a violation. Maybe a partner announces a new agreement and releases details that are sensitive on its own site. So what partners can or cannot disseminate must be spelled out in contractual agreements.
Unprotected communications could also mean broadcasting mistakes that impact the business, spawning a PR disaster or even a lawsuit.
There have been cases where published mistakes have changed the value of a stock price, says Cathy Hotka, whose business, Hotka and Associates, advises large retail CIOs on social marketing and privacy issues.
In the retail sector, most corporations take a centralized approach to controlling their communications over Web 2.0 mediums, Hotka says.
“Most retailers would rather keep one unified online presence managed by the corporation, rather than letting their individual stores have their own web presence,” Hotka says.
“However, retailers are now looking at employee-owned devices to outreach directly to local customers for specials and follow-up, which could become beacon points.”
No matter how good the policy or contract, personal devices and their connections to their web applications are outside the direct control of their employers, which is why so many organizations are not even through the policy stage, let alone the education process, Miles says.
However, even when a solid use policy does exist, it is only as effective as the staff's willingness to follow it, he adds.
This is especially true with the young, emerging workforce, according to the “Cisco Connected World Technology Report,” released in December, which surveyed more than 2,800 young workers and college students in 14 countries.
Of those respondents who were employed, seven of every ten went around IT policy with troubling regularity. They either thought they weren't doing anything wrong or believed they couldn't get their job done without accessing personal resources.
The majority (61 percent) also felt that their carriers or IT departments were responsible for securing data downloaded to their devices.
“This survey shows the shift in user belief surrounding their right to choose their own devices, their interconnectedness, and their more open views on privacy,” says Mary Landesman, senior security researcher for Cisco.
“Unfortunately, it also shows the complex issues organizations are facing in terms of their sensitive data management.”
As in the case of RSA, organizations can shut down access to social networks. RSA later restored this access, but only for use over employees' own personal devices.
For those wanting access to email and other sanctioned applications on their devices, RSA engineered a dynamic virtual desktop infrastructure (VDI) using VMware View so users could get to specified apps from their devices, but not actually transfer any data to or from their devices in the process.
Of those organizations trying to facilitate bring-your-own-device (BYOD) in their workplace, many are turning to network access control (NAC) to handle guest access from controlled devices, which can be set up in locations identified for personal use.
Like the protected internal network, the guest network can be monitored for data flows indicative of IP or personal data moving onto devices or out of the organization.
Enhanced NAC tools can also be used to scan the security state of the device attempting access: Is it configured properly? Does it contain a beaconing application, such as malware or file sharing?
“Monitor for data leakage at the network egress [outbound] point using any combination of network and agent technologies,” says RSA's Williams.
By logging in, employees are also registering their feeds through the organization, which then provides critical records for follow-up on policy, says Thomas Logan, CTO of HiSoftware, which provides software and services around collaborative data environments.
Logan also recommends using web crawlers and keywords to search for abuses of policy across web mediums.
Brand recognition software can do some of this, but much of the search involves good, old fashioned keyword searches on behalf of the organization, according to experts.
“Sensitive data should not be put into unmonitored, collaborative Web 2.0 environments in the first place,” Logan says.
Access should be based on need to know, and sensitive data should be encrypted, he adds. “Once data is published somewhere on the web, it's hard to redact,” AIIM's Miles says.