Are your people sharing too much information?
Bas de Graaf looks at the simple steps that organisations can put in place to help people share the right information in the right place.
Take even a cursory look at social media and, amongst the funny cat videos, you will understand how much personal information is shared every day.
But it’s not just the information we share about ourselves that’s available to criminals, it’s also information shared unintentionally by others.
I’ve seen both personal and company information on the internet and in public places, posted by people not thinking about sensitivity, business interests, and privacy. For example, details of a forthcoming office closure and relocation project shared on a public cloud before affected individuals were informed. Or individual’s names, addresses, phone numbers and birthdays shared on noticeboards at football clubs. Or guest lists with names and addresses emailed to large groups.
These are often innocent mistakes. A well-placed desire to share information with a local community. Or challenges getting to grips with a new way of working, such as when to use public or private cloud storage.
What is published on the internet may be there forever, and in the wrong hands this open source intelligence (also known as OSINT) could be used against you in personal or professional situations by organised criminals.
Whilst sometimes this information might simply lead to embarrassing situations, if used by criminals or disgruntled employees, it could lead to more serious consequences. The internet contains massive amounts of data which can be misused for criminal’s business operations. Any information may be of use to an attacker, whether they are looking for a target for kidnapping threats, identity theft or hacking and stealing company information (like trade secrets or acquisition plans). It would not surprise you that there are commercial tools available on the market intended for data reconnaissance, data mining and intelligence gathering activities. These tools help the user to perform the online investigation in the most efficient way. However, if we are able to purchase these tools, so are the criminals.
It might sound melodramatic, but you need to rethink everything you share – is it a good thing for your private life, your position at work, the company you work for - now or in the future.
What can organisations do to prevent this?
There are some simple steps that global enterprises can follow to help prevent data being unintentionally shared:
- Make sure your people know your company’s information security policy, especially around data classification and handling of data.
- Train your people in how to deal with cloud-based services and storage, and to understand what is private and what is not, especially as they move to new services like Office 365.
- Encourage people to think carefully about the purpose of sharing data and consider whether they would like that information shared about themselves.
People are often the biggest security weakness to a business, but training and education can help them become your biggest security asset. Once we understand what the implications can be for us, our company, or the people around us, we all will think carefully in the future about what information we share.
Are you doing enough to secure your business?
People are often the biggest security weakness to a business, but training and education can help them become your biggest security asset.
Bas de Graaf
Head of ethical hacking services