|
|
SLAC Computer Security | ||
| SLAC Home | Computing Home | Computing Outages | Help | |||
Cyber Security Awareness Month
These tips are part of a month long effort to distribute useful computer security information to the SLAC community.
- Day 30 - Blogging and Social Networking
Yesterday we talked about the "insider threat". Blogging and Social Networking can be seen as a variation of this issue. But unlike the clandestine (and intentional) activities performed by a malicious insider, the threatening actions from blogging and social networking are usually unintentional and frequently well intended.
So how do you (or your organization) deal with this threat? Do you review your employees blogs for proprietary information? This may be an area where user education will actually work. However, it is also a area where the lines between a person's professional and personal life blur. What about the reputation of a company? Would it be affected by a well known employee of the company voicing radical political views in his personal blog?
The threat from social networking is similar. By mixing personal and professional contacts in your social network, you allow for "data leaks". Another issue is that with social networking, terminated employees retain access to customer and collaborator contact information.
Comments from another Internet Storm Center handler:
I will not even try to kid you, I don't like the rooms that the kids are hanging out in. I work very hard to discourage them from hanging out in some of these places. Unfortunately it is not easy. Many of these rooms contain numerous dangerous, not the least of which is sexual predators. We all know what a danger these can be for kids. And if that is not enough to worry you, let's see if this does.A few weeks ago we had some computers at our stores that had been infected. Now all of our stores had AV software installed and running. During my monthly audit I discovered that we had some PC's that the AV had been disabled on and they were laden with bad things not the least of which was a worm. As I began the job of cleaning these up and getting the AV going again I discovered that the common thread was that all of the infected machines had accessed one popular social networking site (not one page... the site).
Upon further investigation I discovered that the machines also contained a keylogger. Customer data as well as company data may have been at risk. Luckily we caught it before damage was done, however it could have been a big problem. I explained to management the dangers of the sites that the folks were visiting and we put a dollar value to the amount of time it took me to cleanup the problem by formatting and reloading all of the computers. We also took a look at the potential loss of revenue if a breach had of occurred and we had compromised valuable customer data. What about the possibility of a law suit? What about the loss of goodwill, faith in our service and our company?
We have now put in web filtering and we no longer allow access to certain sites and types of sites. For instance music or video download. What the employee does at home in their own time, I can't control. What happens in one of our facilities, I can.
The important thing is to talk to your employees, explain to them why you do what you do. When they realize the cost they are more likely to cooperate. When they realize that a breach can result in a significant loss of revenue which equates to less money for raises and bonuses and they see that it does affect their bottom line they don't complain, or at least complain silently.
Educating your users about the dangers on the Internet can go a long way in impacting your bottom line.
Owner: SLAC Computer Security |
