Information isn't just leaking, it's being broadcast over Web 2.0 mediums, reports Deb Radcliff.
After learning its SecurID authentication product had been accessed by outsiders, security vendor RSA shut down certain social media traffic for several months in 2011 as investigators tracked the origin back to an email. Information gathered to target the recipient was provided freely over social networking sites, what Branden Williams (left), RSA's CTO of marketing, calls “big data mining” by organized bad guys.
“When I look to where the workforce is beaconing sensitive information to criminals and malware, I look to places like Twitter and LinkedIn,” says Williams. “We're living in a world where our entire emerging workforce has grown up online and has been engineered to overshare. Big data miners have taken notice.”
Not only are employees (current and former), partners and contractors beaconing information that can be used in targeted attacks, they also spread product and other intellectual property (IP) over these and many other mediums, such as their online résumés, in blogs, email, Skype, instant and SMS messaging, through misconfigured systems, even search engines, say experts.
Unfortunately, data governance and protections are lacking across most of these channels and mediums. According to an October 2011 survey conducted by the Association of Image and Information Management (AIIM), 65 percent of respondents who had Web 2.0 collaborative environments lacked such controls.
“It used to be that all forms of public communication had to go through sign-off,” says Doug Miles (right), director of market intelligence for AIIM. “Social media, on the other hand, is all about openness and sharing. With one click, the user bypasses all the old controls of brand management, public relations and other approvals, and they're posting who knows what about their organizations.”
Most professionals assigned blogging, Twitter and other communications on behalf of their companies usually go through these checkpoints. Like Williams, they also attend brand/data protection and security training. Since the SecurID breach, RSA has strengthened the social media components in every employee's information security training.