Hello, good evening, and welcome… fe-acc18ru, fe-acc18ruru
Not to the (ISC)² blog, of course, which has been here for quite a few months now, but to my own tiny corner of it. Not that I’m particularly new to blogging: in fact, I’m one of the fortunate few who not only get to hold forth on their current obsessions on their own blog pages or in the company of others who share their interests, but are also paid to blog on behalf of their employer (though they do expect me to do quite a few other things, too!) And there are a couple of key concepts there: “obsession” and “paid to blog.”
Many people get into blogging because they have passionate opinions about something, whether it’s a political issue, a shared professional interest, or simply a firm conviction that they can write well enough to interest other people in whatever topic happens to interest them. And there’s nothing wrong with that. There’s a lot that’s wrong with the online world, but it’s exciting to see people with something to say, but who would have had little chance of being published when the media were controlled almost entirely by vested interests, gaining access to an audience. Sometimes, though, the process is just too easy. If blogging is in your contract, that brings a whole load of other contractual baggage: even if it’s not stated explicitly, it’s assumed that you will behave responsibly towards your employer. That contract makes you in some sense one of their representatives in the blogosphere, and if what you say or how you say it brings them into disrepute, the chances are that there will be consequences.
Is it different for other people? Not really. Blogging (like most mailing lists and newsgroups, among other forms of online communication), is permanent. Once you click on “publish” (or “send”), your words take on a life of their own. You can change them, but not everywhere they’ve been replicated, and they can come back to haunt you. People have lost jobs through an ill-considered email, an inappropriate posting, an indiscreet mention of work issues on a blog (you’ve probably heard of ” doocing “).
But is this really a security issue? Actually, yes. A survey by Proofpoint makes the interesting point that blog and message board misuse has led to disciplinary action in 11% of surveyed firms. Exposure of financial information is specifically mentioned, but is anyone going to assume that there’s no scope for the inappropriate disclosure of other sensitive data? I didn’t think so…
Of course, it’s common sense that you don’t talk to strangers about aspects of your job, workplace, colleagues etc. that shouldn’t be made public. But if sense was that common, social engineering would be largely ineffective and a lot of security professionals would be out of a job. So while it makes sense to track these things, it makes even more sense to set policies and guidelines proactively and ensure that all staff are aware of their responsibilities.