Most companies in the internet age now routinely monitor their employees IT usage while they are in the office. Who are they e-mailing? How long are they spending on social media? What are they doing on those web pages? These are questions that IT managers should have answers to. The issue of course comes, that as a company grows larger, and the number of employees grows along with it, monitoring becomes difficult, time consuming and tends to rapidly become an activity conducted ex post a major incident, rather than preventatively ex ante. Indeed monitoring by its very definition can only catch an action after it has happened and allow disciplinary/reparative action to be taken (which is by far better than nothing). One need only look at recent high profile leaks from the US military, arguably one of the most highly monitored IT systems in the world, to realize the pitfalls innate to relying purely on monitoring as a security, or information protection method – especially when the number of users reaches a certain level.
Most employers and employees are unaware of the ease with which an e-mail address can be followed to all of the: forum profiles, social media profiles and user names associated with it. Not only are there a huge number of ‘public tools’ available for these purposes (pipl.com being one example of such an aggregator), there are many other for pay, or proprietary search systems that are far more effective at the task. As people become more and more active on the internet, their concerns for privacy seem to have declined with their apparent familiarity with the medium.
The majority of profiles on ‘Facebook’ for instance now, (if one is a friend, and in many cases if one is merely a friend of a friend) display the current employer, location and sometimes even job title. Even if this information is absent, some common sense and an e-mail check can easily tie most social media pages to a Linkedin page, and as a result an employer. This means that your employees, (or you if you are an employee) are in a sense, representing your/their employer every time you/they post on-line, unless you have taken concrete steps to insure your anonymity, or as an employer, you have strict and strong social media policies in place to insure that employees know the limitations of what they can and cannot post with regards to work (or on any site which may reasonably become connected to you as their employer).
Most security breaches or information leaks happen unintentionally and because employees and employers are unaware of both the value of the information they are discussing in public, and/or how easily connected it is to the company they are working for, and how actively sought after such information is by business intelligence firms and competitor marketing departments. (Not to mention, activists, hackers, and criminals). Some simple tips that everyone can follow can greatly mitigate risk:
If you are an Employee:
- Assume that your boss can see everything that you post on Facebook, Google+, MySpace, etc. That includes the picture of you engaged in illicit activities. Never post anything that you wouldn’t want the world to see. Read that over, say it again, now actually go and fix it if there is any incriminating evidence.
- Never accept a friend request from anyone at any time unless you have met them face to face, no matter how pretty/handsome they are, or how nice their profile seems. Corporate Intelligence entities and researchers routinely use this technique to gain access to your information and there’s nothing strictly illegal about it provided they don’t manifestly lie about it. (i.e. claim they’re a cop).
- If you are going to post on forums, or other pages, create an e-mail address (under a pseudo name, and that bears no resemblance to your name) specifically for that forum, and a new username linked to that e-mail address, and that forum only, and use it for no other purpose. That way your scathing attack on your competitor’s products or an offhand comment about work can never be linked back to you, or your employer.
- Never post anywhere from a work computer, especially not a user group or forum. Most of them track and log your IP number (a unique number identifying your access point to the internet) which can be traced back to the client company via any number of IP address searches (www.ipaddress.com being one example). More often than not, along with the ISP, is the name of the corporate entity that owns the computer, that’s right – your boss.
- Remember that if you take your computer home with you, it’s still a work computer. Keep your personal information off of it. It’s risky, and worse than that, results in your privacy being at issue.
As an employer:
- Educate your staff as to why certain pieces of information are important, confidential and should never be revealed.
- Actively monitor your employees’ use of IT infrastructure.
- Regularly check up on your employees accessible social media activities. (You do not have to, nor should you ever ask for their passwords. If you can’t see the information without it, then no one else can either and so there’s no risk.)
- Have a robust policy in place as to what is and isn’t acceptable
- Use both carrot and stick! Have disciplinary procedures for breach, but also rewards for exemplary behavior or spotting breaches before it’s too late!
- Remember that illegal actions by employees using your IT infrastructure can result in you going to jail, or your firm being sued. It happens more and more often and is a huge risk to a small business.
- If in doubt hire a professional to conduct an Open Source intelligence audit/policy review
It’s never too late to plug a leak or correct errors and by following these simple steps, the job of your average open source researcher would become largely impossible, which is exactly how you should want it to be!
Richard Farley works as a digital investigator in London for Atris Aqua. He specialises in employee monitoring through the use of only open source intelligence techniques.