Author: MacDonnell Ulsch
ISBN No: 978-0-89413-62
Review date: 17/12/2025
No of pages: 197
Publisher: Institute of Internal Auditors
Year of publication:
Brief:
MacDonnell Ulsch’s book Threat! is aimed at chief risk and security officers. One chapter covers an uncontrolled form of communication that your enemies can use to acquire sensitive information - blogs. He writes:
Why are blogs a threat? The simplest reason is that many people don’t understand the threat from blogging. A lot of technology is viewed incorrectly as benign. Blogs are entertaining. They are an outlet of frustration, a technology application of expression and opinion. Blogs are a community of one to many and many to many. They are fluid, flexible, and attract bloggers across the electronic frontier, from convicted felon to rabbi and priest, and just about everyone else in between. Blogs fit neatly and seamlessly into the internet generation, those who grew up with the internet and mobile phones, who believe that instant messaging and other electronic communication methods are an inalienable right. These same people are joining the workforce every year and carry with them all the good and bad habits that they may have learned in school. Chances are, as far as most companies are concerned, there are more bad habits than good. There may be more than 100m blogs.
Crime interest
Blogs create enterprise risk unless effective rules are established and adequately and frequently explained to employees. One risk is that no-one really knows where blogs are or even who owns them. Worse, it is not always easy to determine what motive is behind the development of a blog. For example, consider a model in which an organisation employs about 100,000 people. Then consider that about 25 per cent or 25,000 are bloggers. Further, assume that these social butterflies of the internet engage in blogging only twice weekly while at work. That’s about 50,000 blog entries weekly or 2.4m annually, associated with a specific identity such as email @yourcompany.com.
Secrets
Organised crime has an interest in these message. First, companies and people can be co-opted and then paid to scan the blogosphere and capture any email addresses and available blog entries. Using reasonably sophisticated data analysis software, these secrets, from employees who are not even aware that they are giving away proprietary information to strangers. At risk include: trade secrets, patents, marketing and sales plans and strategy; merger and acquisition information; proprietary processes, packaging and pricing; code, formulas and prototypes.
Invisible risk divide
The invisible risk divide is a gap between technology management and executive management. Technology management, including chief security officers, often fail to convey to executive management the threat of emerging technology and the risks it may impose on the enterprise. The failure to close this divide will ensure that technology-induced risk will remain.
Manage
What can companies do to manage the risk of blogging? Developing active awareness is critical. Here are three policy foundations that companies can select. 1) The increasingly wide use of internet scanning tools designed to mine business intelligence from web logs, also known as blogs, requires a zero-tolerance web log usage policy. 2) any employee use of web logs must be discretionary and not reveal or disclose any proprietary information. Personal blogging is not allowed. All blogging is subject to monitoring. 3) When an employee believes there is justification in visiting a specific web log, he or she must request permission in writing beforehand, from the appropriate manager and information security manager.
Bottom line
The bottom line on blogging? It serves a purpose. Set up rules and enforce them. As with email, employees need to understand that blogging, when performed on computers and networks owned by the company, becomes the property of the company. The challenge is in getting employees to understand that blogging is not an action of inconsequence. With the correct policies and procedures, blogging can bring value to the organisation. Make sure the blogging experience is for the benefit of both parties – not just a hacker and social engineer intent on laying claim to another victim. The chief security officer should monitor for technology change and evaluate what new technology and applications threaten enterprise integrity. Some security and risk executives deny that blogging exists and believe that their employees do not engage in such behaviour. They are quite likely wrong.
