Information isn't just leaking, it's being broadcast over Web 2.0 media by a workforce prone to over-sharing. Deb Radcliff reports on the challenge organisations face in keeping sensitive data within their control.
After learning that its SecurID authentication product had been accessed by outsiders, security vendor RSA blocked certain social media traffic for several months in 2011 as investigators tracked the origin back to an email. Information gathered to target the recipient was provided freely over social networking sites – what Branden Williams, RSA's CTO of marketing, calls “big data mining” by organised bad guys.
“When I look to where the workforce is beaconing sensitive information to criminals and malware, I look to places like Twitter and LinkedIn,” says Williams. “We're living in a world where our entire emerging workforce has grown up online and has been engineered to over-share. Big data miners have taken notice.”
Not only are employees (current and former), partners and contractors submitting information that can be used in targeted attacks, they are also spreading product and other intellectual property (IP), such as their résumés, in blogs and email, and over Skype, instant and SMS messaging, through misconfigured systems, even search engines, say experts.
Unfortunately, data governance and protections are lacking across most of these channels and media. According to an October 2011 survey conducted in the US by the Association of Image and Information Management (AIIM), 65 per cent of respondents who had Web 2.0 collaborative environments lacked such controls.
“It used to be that all forms of public communication had to go through sign-off,” says Doug Miles, director of market intelligence at AIIM. “Social media, on the other hand, is all about openness and sharing. With one click, the user bypasses all the old controls of brand management, public relations and other approvals, and they're posting who knows what about their organisations.”
Most professionals assigned blogging, Twitter and other communications duties on behalf of their companies usually go through these checkpoints. Like Williams, they also attend brand/data protection and security training. Since the SecurID breach, RSA has strengthened the social media components of its information security training.
Policy should help employees recognise and protect sensitive information, which often varies depending on the medium, Williams says. For example, it might not even be one's own employees committing a violation. Maybe a partner announces a new agreement and releases details that are sensitive on its own site. So what partners can or cannot disseminate must be spelled out in contractual agreements.
Unprotected communications could also mean broadcasting mistakes that impact the business, spawning a PR problem or even a lawsuit. There have been cases where published mistakes have changed the value of a company's shares, says Cathy Hotka, whose business Hotka and Associates advises retail CIOs on social marketing and privacy issues.
In the retail sector, most corporations take a centralised approach to controlling their communications over Web 2.0 media, Hotka says.
“Most retailers would rather keep one unified online presence managed by the corporation, rather than letting their individual stores have their own web presence,” she says. “However, retailers are now looking at employee-owned devices to reach out directly to local customers for specials and follow-ups, which could become beacon points.”
No matter how good the policy or contract, personal devices and their connections to web applications are outside the direct control of employers, which is why so many organisations have not even completed the policy stage, let alone the education process, Miles says. However, even when a solid usage policy does exist, it is only as effective as the staff's willingness to follow it, he adds.
This is especially true with the young, emerging workforce, according to the ‘Cisco Connected World Technology Report', released in December 2011, which surveyed more than 2,800 young workers and college students in 14 countries.
Of those respondents who were employed, 70 per cent said they regularly bypassed IT policy. They either thought they weren't doing anything wrong or believed they couldn't get their job done without accessing personal resources. The majority (61 per cent) also felt that their mobile phone company or IT department were responsible for securing data downloaded to their devices.
“This survey shows the shift in user belief surrounding their right to choose their own devices, their interconnectedness, and their more open views on privacy,” says Mary Landesman, senior security researcher at Cisco. “Unfortunately, it also shows the complex issues organisations are facing with sensitive data management.”
As in the case of RSA, organisations can shut down access to social networks. RSA later restored this access, but only for use via employees' own personal devices. For those wanting access to email and other sanctioned applications on their devices, RSA engineered a dynamic virtual desktop infrastructure (VDI) using VMware View so users could get to specified apps, but not transfer any data to or from their devices in the process.
Of those organisations trying to facilitate a bring-your-own-device culture, many are turning to network access control (NAC) to handle guest access from controlled devices, which can be set up in locations identified for personal use. Like the protected internal network, the guest network can be monitored for data flows indicative of IP or personal data moving onto devices or out of the organisation.
Enhanced NAC tools can also be used to scan the security state of the device attempting access: is it configured properly; does it contain a beaconing application, such as malware or file sharing? “Monitor for data leakage at the network [outbound] point using any combination of network and agent technologies,” advises Williams.
By logging in, employees are also registering their feeds through the organisation, which then provides critical records for follow-up on policy, says Thomas Logan, CTO of HiSoftware, which provides software and services for collaborative data environments.
Logan also recommends using web crawlers and keywords to search for abuses of policy across web channels. Brand recognition software can do some of this, but much of the search involves good, old-fashioned keyword searches, according to experts.
“Sensitive data should not be put into unmonitored, collaborative Web 2.0 environments in the first place,” Logan says. Access should be based on ‘need to know', and sensitive data should be encrypted, he adds. “Once data is published somewhere on the web, it's hard to redact,” AIIM's Miles warns.
This article originally appeared in the US edition of SC Magazine.