One of the most common complaints I hear from information security
executives in large organizations is that they are constantly playing
defense, not offense. Their network security apparatus is designed to
wait for an attack, see if it’s successful and, if it is, to plug the
hole, then repeat.

The topic of Intelligence in this context has been coming up more and
more. The word has been used fairly sloppily by those would conflate
“threast intelligence” or tactical intelligence with strategic
intelligence. More and more I see companies looking to aggregate
intelligence feeds from a range of sources – brand, phishing and fraud,
malware threats, etc, but it’s still a very early adopter activity.

Here’s an example of some strategically useful intelligence that your
company is almost certainly gathering, and is almost certainly throwing
away: employee background checks. I wrote here on ThreatPost and on FudSec last
summer about the need to share information across those corporate
“cylinders of excellence” that are the stovepipes of the modern
enterprise. This is a perfect example.

I suggest expanding the current background check regime to include
online social media, not just at hiring but ongoing. And I further
suggest that the employees be compelled to help, by “friending” the
company. I’ll lay out below: tt’s legal, it’s not an invasion of
privacy, it’s technically possible, and the rewards can be great.

If we think for a minute about the kinds of employees who might steal
something from your firm to sell it, without resorting to the FUD we
heard last year about how the desperate economy was going to make data
theft a cottage industry of departing workers, you end up creating,
actually, three profiles. Because with data theft, there’s work out
there showing that three groups are more likely to steal your
stuff.

I call them The Three Ds: Debtors. Degenerates. And the Disgruntled.

Fortunately for us, The Three D’s tend to yak it up on online social
media. Unfortunately for you, even if your company is lucky enough to
recognize intelligence about employees who are in The Three Ds, they’ll
almost cetainly throw it away. Sure, if it’s about someone applying for
a job, HR will probably spot it and disqualify the person. But once
they’re hired? Fugeddaboudit.

Profiles: The Three D’s
First some information about the Three D’s:

Debtors
If your employee is desperate enough about a debt problem to tell you
about it on a social media site, it’s a problem. In a worst case, it
could result in an employee stealing information to pay gambling debts
or to solve financial problems, like an underwater mortgage or some
cowboy debt collector posting to the
MySpace universe
how she missed a couple of Chevy payments. Pressure
like that can be devastating, and cause people to do unexpected things.

That deadbeats are on Facebook and MySpace is a given – it’s obvious
because of the heaps of stories about debt-collectors
invading online social
media sites. Credit agencies and
credit card companies are trawling social
networks
for data mining purposes, too. But online social media
users themselves post about their debt – they write about it on the
walls of others, too.

Degenerates
By ‘degenerate’, I mean those with true compulsions to gamble or view
pornography. Excessive (and by, ‘excessive’ I mean when evidence of it
spills into the user’s non-pornographic online social media world) use
of Internet pornography can be indicative of online behavior which can
be objectively said to lead to security breaches. Pornographic content
found on the Internet is
more likely than non-pornographic content
to contain malware and
searching for porn is an activity fraught with peril.

I’m going to take a wild leap and say that those who spend
“excessive” time on Internet gambling sites should be similarly profiled
as potentially able to lose lots of money quickly and therefore be
tempted to steal.

The Disgruntled
There is plenty of evidence to show that employees contemplating a new
job are likely to steal data and information about their current job for
the purposes of making themselves more valuable to a future employer. A
Ponemon
study
of departing employees found that 59% were stealing company
data, and 79% said they knew it was wrong. Sixty-seven percent used
their former company’s confidential, sensitive or proprietary
information to leverage a new job.

An employee who expresses in posts in more than two online social
media sites a desire to find new employment might be legitimately
considered to be someone seeking a new job. That is an important piece
of intelligence. Or, you know, if the employee registers the domain, ihatemyjob.com. You get the idea.

The Two F’s: Friend and Follow
Getting intelligence on which of your trusted employees is a member of
The Three Ds is much easier if you make corporate policies that make
senior executives provide your firm with access to their online social
media pages as part of their employment contract – they friend you, they allow you to follow them, etc. You need to
be very careful to make the policy very clear, be consistent in
application etc – below I list ten specific action-items about this.

Wasted Data
If you work in any sizeable American corporation, your employer runs
background or credit checks on prospective employees 76% of
the time
; 45% of employers use online social media sites to
research job candidates, and 25% run
ongoing background and credit checks
on senior employees or all
employees.

Where’d all that data go? Someone in your shop had it! The answer is
that the data are wasted, discarded. It was probably gathered
at hiring time by HR, and HR is just not very good at disseminating the
intelligence it gains through these searches beyond go/no-go hiring
decisions, and some tick-box compliance stuff that it’s running in the
background. They have work to do, dammit, they don’t need to be
messing with this stuff (in fact, HR resistance to the programs I am
suggesting here will likely be a bigger obstacle than any privacy
concerns).

The point is, checking an employee’s online social media digital
dossier is consistent with long-held American employment standards.
Judges have consistently ruled that employers may require background
information, reference checks, and more personally invasive forms of
character testimony in the form of drug tests, criminal records and
other background investigations by private investigators. This
intelligence is there for the taking. You just need to gather it up and
use it.

What is to be Done

I’ve written a longer blog post about this subject at my company blog,
which links to an academic paper going into the legal and privacy
considerations. But here are ten suggested steps in implementing a
policy in a way that has a chance of working. There’s lots more to be
done, and this assumes senior management buy-in, organizational
integrity and many other things.

  • State That Employees Must “Friend” The Company. Some will use
    aliases, most will comply.
  • Define the Scope. Start with executives only.
  • Explain The Drivers. Tell employees you’re trying to save
    money, and save jobs.
  • Update All Policies. Be meticulous about consistency in
    written policies and especially in enforcement.
  • Create an Online Social Media Policy. Tell people what
    they can and can’t do.
  • Train All Employees. Set them up for success by training
    them in acceptable social media
  • Disclose That Corporate Monitoring is Occurring. Don’t
    hide it at all. Remind everyone regularly.
  • Use The Best Technology You Can Afford. Google Alerts are
    fine for course work, but you really need some specialized kit or
    service.
  • Be Specific and Consistent in Search Terms. Ensure that
    you’re never singling anyone out until you have evidence that they might
    be in the Three D’s – and then be consistent in your monitoring of that
    group, too.
  • Monitor and Create Metrics. Define “success” on at least
    ten measurements, of which no more than one is “number of inappropriate
    posts detected.”

* Nick Selby is managing director of Trident Risk Management.  He works with large
end-user organizations and government entities to leverage and combine
existing information security and physical security assets and external
intelligence sources to have a broad, actionable and horizontal view
into information that affects global risk posture.  He previously created and led industry analyst firm The 451 Group’s
Enterprise Security Practice.

Categories: Compliance, Data Breaches

Comments (10)

  1. Calandale
    1

    Legal? Sure. Not enforceable in a valuable way.

    I guess you’d find out which employees were stupid enough to actually utilize the account they friended the company with though, which could be a valuable piece of info.

  2. Anonymous
    2

    State That Employees Must “Friend” The Company. Some will use aliases, most will comply.”

    Wow.  Talk about an invasion of an employee’s privacy.  Are you sure this is legal?  Even if so, I think it’s incredibly unethical to use the leverage an employer has over it’s employees to force access to private information they intended to only share with family and friends.  While you’re at it, why not just require employees to give the company the passwords to their personal email accounts and access to their bank accounts?

    Desparate employees who lack other options will surely comply, but talented individuals with many options will simply flee to companies that aren’t so oppressive.

    I’m appalled by this recommendation and will advise my peers to avoid doing business with Nick Selby and Trident Risk Management.

  3. Philip
    3

    And then there’s me: no facebook or twitter.  What are you going to do?  Force me to social network? :D

  4. Anonymous
    6

    Uh no.  I don’t even friend co-workers unless I have an actual outside-of-work relationship with them.  If you really think folks are disgruntled, you might think about what actions the company and/or it’s upper leadership have taken that would lead to that.  Fire people for no good reason?  Tell those that are left “next time it could be you…just be sure you’re working ‘hard enough’ “?  Enact paycuts for “the little people”, but give large bonuses to the top 5 or 6 (who are making a truckload of money already)?  Cut benefits for (again) the masses, but save the good package for the execs?

    If a company shows that it doesn’t give two rips about its employees, I fail to see why employees would give extra care to the company.

  5. Will Gragido
    7

    I think that this post hits on some very key points not the least of which is the illusion of privacy in the 21st Century.   Anyone who suffers under this delusion — yes I said delusion because as soon as you blog, tweet, post, comment or otherwise acknowledge any attribute of your ‘private’ life online you yourself have surrendered your privacy — and neither you nor I have any business being offended by organizations (your employer, your creditors, adoption agencies etc.) taking advantage of that.  Having said that, I suggest doing what my father told me: ‘don’t post anything that you’d be embarrassed your mother would read out loud, in church on a Sunday’. It sounds ludicrous but is it really?   I think not.  I believe if one desires privacy one must keep the details of their life which they are concerned about truly private. 

    The three D’s is a solid example of filtering (no different than if one were to enable a filter which was based on human behavior or attributes in a content security solution), used by many organizations for information analysis, decision making and investigtion.  Whether you agree with the definitions — or what led to someone being found in a category such as the disgruntled is difficult to debate.   Often times merit has no bearing in these matters, it is simply a case of facts.   Having said that, I see this as being an area which enterprises would be wise to use were they truly concerned with ensuring their risk posture. 

    Great post, keep them coming!

  6. Anonymous
    8

    What if an employee if fighting AIDS or cancer, and they’re using Facebook to keep friends and family updated on how the battle is going?

    If an employer mandates “friending” the company on Facebook, the employee faces a draconion choice: reveal personal health information they’d rather keep private, or refuse to comply and risk losing their job, along with their health insurance.

    Seriously, this kind of attitude just tarnishes the reputation of the infosec industry.

  7. Anonymous
    9

    My employer (not a media company) is mandating that employees use social media network sites.

    I purposely don’t put my information on these sites because of the privacy issues.

    Is this legal?

  8. Anonymous
    10

    This has got to be one of the most arrogant and stupid ways I have heard on how to “manage” social media. You’re making enemies before you even get started.

Comments are closed.