Friending HR: A Rich and Mineable Source of Intelligence

One of the most common complaints I hear from information security
executives in large organizations is that they are constantly playing
defense, not offense. Their network security apparatus is designed to
wait for an attack, see if it’s successful and, if it is, to plug the
hole, then repeat.

One of the most common complaints I hear from information security
executives in large organizations is that they are constantly playing
defense, not offense. Their network security apparatus is designed to
wait for an attack, see if it’s successful and, if it is, to plug the
hole, then repeat.

The topic of Intelligence in this context has been coming up more and
more. The word has been used fairly sloppily by those would conflate
“threast intelligence” or tactical intelligence with strategic
intelligence. More and more I see companies looking to aggregate
intelligence feeds from a range of sources – brand, phishing and fraud,
malware threats, etc, but it’s still a very early adopter activity.

Here’s an example of some strategically useful intelligence that your
company is almost certainly gathering, and is almost certainly throwing
away: employee background checks. I wrote here on ThreatPost and on FudSec last
summer about the need to share information across those corporate
“cylinders of excellence” that are the stovepipes of the modern
enterprise. This is a perfect example.

I suggest expanding the current background check regime to include
online social media, not just at hiring but ongoing. And I further
suggest that the employees be compelled to help, by “friending” the
company. I’ll lay out below: tt’s legal, it’s not an invasion of
privacy, it’s technically possible, and the rewards can be great.

If we think for a minute about the kinds of employees who might steal
something from your firm to sell it, without resorting to the FUD we
heard last year about how the desperate economy was going to make data
theft a cottage industry of departing workers, you end up creating,
actually, three profiles. Because with data theft, there’s work out
there showing that three groups are more likely to steal your
stuff.

I call them The Three Ds: Debtors. Degenerates. And the Disgruntled.

Fortunately for us, The Three D’s tend to yak it up on online social
media. Unfortunately for you, even if your company is lucky enough to
recognize intelligence about employees who are in The Three Ds, they’ll
almost cetainly throw it away. Sure, if it’s about someone applying for
a job, HR will probably spot it and disqualify the person. But once
they’re hired? Fugeddaboudit.

Profiles: The Three D’s
First some information about the Three D’s:

Debtors
If your employee is desperate enough about a debt problem to tell you
about it on a social media site, it’s a problem. In a worst case, it
could result in an employee stealing information to pay gambling debts
or to solve financial problems, like an underwater mortgage or some
cowboy debt collector posting to the
MySpace universe
how she missed a couple of Chevy payments. Pressure
like that can be devastating, and cause people to do unexpected things.

That deadbeats are on Facebook and MySpace is a given – it’s obvious
because of the heaps of stories about debt-collectors
invading online social
media sites. Credit agencies and
credit card companies are trawling social
networks
for data mining purposes, too. But online social media
users themselves post about their debt – they write about it on the
walls of others, too.

Degenerates
By ‘degenerate’, I mean those with true compulsions to gamble or view
pornography. Excessive (and by, ‘excessive’ I mean when evidence of it
spills into the user’s non-pornographic online social media world) use
of Internet pornography can be indicative of online behavior which can
be objectively said to lead to security breaches. Pornographic content
found on the Internet is
more likely than non-pornographic content
to contain malware and
searching for porn is an activity fraught with peril.

I’m going to take a wild leap and say that those who spend
“excessive” time on Internet gambling sites should be similarly profiled
as potentially able to lose lots of money quickly and therefore be
tempted to steal.

The Disgruntled
There is plenty of evidence to show that employees contemplating a new
job are likely to steal data and information about their current job for
the purposes of making themselves more valuable to a future employer. A
Ponemon
study
of departing employees found that 59% were stealing company
data, and 79% said they knew it was wrong. Sixty-seven percent used
their former company’s confidential, sensitive or proprietary
information to leverage a new job.

An employee who expresses in posts in more than two online social
media sites a desire to find new employment might be legitimately
considered to be someone seeking a new job. That is an important piece
of intelligence. Or, you know, if the employee registers the domain, ihatemyjob.com. You get the idea.

The Two F’s: Friend and Follow
Getting intelligence on which of your trusted employees is a member of
The Three Ds is much easier if you make corporate policies that make
senior executives provide your firm with access to their online social
media pages as part of their employment contract – they friend you, they allow you to follow them, etc. You need to
be very careful to make the policy very clear, be consistent in
application etc – below I list ten specific action-items about this.

Wasted Data
If you work in any sizeable American corporation, your employer runs
background or credit checks on prospective employees 76% of
the time
; 45% of employers use online social media sites to
research job candidates, and 25% run
ongoing background and credit checks
on senior employees or all
employees.

Where’d all that data go? Someone in your shop had it! The answer is
that the data are wasted, discarded. It was probably gathered
at hiring time by HR, and HR is just not very good at disseminating the
intelligence it gains through these searches beyond go/no-go hiring
decisions, and some tick-box compliance stuff that it’s running in the
background. They have work to do, dammit, they don’t need to be
messing with this stuff (in fact, HR resistance to the programs I am
suggesting here will likely be a bigger obstacle than any privacy
concerns).

The point is, checking an employee’s online social media digital
dossier is consistent with long-held American employment standards.
Judges have consistently ruled that employers may require background
information, reference checks, and more personally invasive forms of
character testimony in the form of drug tests, criminal records and
other background investigations by private investigators. This
intelligence is there for the taking. You just need to gather it up and
use it.

What is to be Done

I’ve written a longer blog post about this subject at my company blog,
which links to an academic paper going into the legal and privacy
considerations. But here are ten suggested steps in implementing a
policy in a way that has a chance of working. There’s lots more to be
done, and this assumes senior management buy-in, organizational
integrity and many other things.

  • State That Employees Must “Friend” The Company. Some will use
    aliases, most will comply.
  • Define the Scope. Start with executives only.
  • Explain The Drivers. Tell employees you’re trying to save
    money, and save jobs.
  • Update All Policies. Be meticulous about consistency in
    written policies and especially in enforcement.
  • Create an Online Social Media Policy. Tell people what
    they can and can’t do.
  • Train All Employees. Set them up for success by training
    them in acceptable social media
  • Disclose That Corporate Monitoring is Occurring. Don’t
    hide it at all. Remind everyone regularly.
  • Use The Best Technology You Can Afford. Google Alerts are
    fine for course work, but you really need some specialized kit or
    service.
  • Be Specific and Consistent in Search Terms. Ensure that
    you’re never singling anyone out until you have evidence that they might
    be in the Three D’s – and then be consistent in your monitoring of that
    group, too.
  • Monitor and Create Metrics. Define “success” on at least
    ten measurements, of which no more than one is “number of inappropriate
    posts detected.”

* Nick Selby is managing director of Trident Risk Management.  He works with large
end-user organizations and government entities to leverage and combine
existing information security and physical security assets and external
intelligence sources to have a broad, actionable and horizontal view
into information that affects global risk posture.  He previously created and led industry analyst firm The 451 Group’s
Enterprise Security Practice.

Suggested articles