When Data Leaves the Roost

Who really owns your business computers and devices and their contents?

09DRG_p66

It’s hard to escape the push for social networking. TV anchors brag about their Twitter files. Facebook and MySpace are in head-tohead competition to bring in new members. And not only is YouTube all the rage, CNN Headline News now broadcasts YouTube content as “viral video of the day.”

Meanwhile, companies are busy using the Internet and Web 2.0 tools and applications to improve their marketing position and increase sales. (Editor’s note: See the article on Social Media in this issue, page 112.)

Unfortunately, a quiet and stealthy force is taking over business computers and essentially “personalizing” the data on our business machines to the point that serious challenges to ownership of data on these devices are surfacing.

Setting the Stage

Your business provides desktop or laptop computers to your employees for the conduct of their work. You might also issue a smartphone product to help them achieve better efficiency. Along with these costs of doing business comes an expectation that such hardware is for business use only.

Over time, however, some employees might use their computers and smartphones for personal photo and video collection. Many will subscribe to a social networking site like Facebook or LinkedIn and, every few minutes, send out Twitter messages or check blogs and Tweets from their social networking friends and contacts. You can also expect today’s employees to access their personal email from Google, Yahoo, or other webmail sites, quietly bypassing the antivirus filters your company so carefully put in place. Because so many employees must be accessible in off-work hours, it is not unreasonable for them to expect to be able to use one device to access different emails and websites.

Houston, we have a problem!

Welcome to the new workplace, where discipline on the “for business use only” ideal has eroded. Employees place extraordinary pressure on IT managers because they want more freedom to access the Web 2.0 tools and social networking sites. One might even say there is a general sense of entitlement to social networks and personalization of the business computers among workers.

A recent Websense survey of over 1,000 IT managers concluded that “employees are clamoring” for more use of Web 2.0 in the workspace. Ninety-six percent of IT managers feel the pressure, which is coming “not from rogue employees, but rather from business lines and top-level executives.” IT departments struggle to find the right balance between preventing security risks and allowing safe and flexible access.

Why is this a Problem?

A key role of the Information Security professional – and a duty of all employees– is to protect the company’s data. There is also a presumed duty to “do a good day’s work for a good day’s pay.” Unfortunately, the problems described above compromise both security and quality of work. The use of Web 2.0 and the personalization of the business computing environment has a major impact on employee productivity and attention to the tasks at hand.

And consider the security risks. How do you know employees have not leaked sensitive corporate information onto social networking sites, either by bragging about the cool job they have or worse yet, using webmail and a social posting site to maliciously send company secrets? What are the legal consequences for the company? For the employee? Do you prohibit such practice?

A recent Chicago Sun-Times article noted that cybercriminals are rapidly using Twitter to direct users to websites that sell pornography and fake drugs. You don’t even know who is pushing this information to your employees because anyone can sign up anonymously for a Twitter account. Unfortunately, your anti-virus filter or even your web filtering software may not prevent such attacks.

To highlight another technical problem, Websense labs noted that cybercriminals increasingly use domain names that include words like Facebook, MySpace and Twitter, with no official connection to the real sites. They do this to trick unsuspecting visitors to fake Web sites and lure them to input sensitive data.

Facebook and MySpace are perfect locations for viruses and worms to thrive. The Koobface worm, for instance, is a very effective attacker because subscribers think they can trust their friends on these sites and are less suspicious about links and executables – e.g., a link left on the person’s “Wall” – that in turn downloads the Koobface worm. The Koobface worm installs malware on the subject computer and can lead to personal information being sent to other websites or computers. One article on this threat noted that although Koobface was not the first virus to spread through Facebook, it is the one reputed to have inflicted the most harm. Another critical reality is that you may think an updated antivirus program and current Microsoft security updates will protect you from these threats. THAT IS NOT NECESSARILY TRUE considering the speed of the cybercrooks and their ability to stay ahead of the security software.

In case you’re wondering why employers don’t simply ban the use of social media on work computers and devices, a major department store has tried. The outcry and indignation from the users was overwhelming for the IT staff – especially from the Marketing department. Ultimately the company removed the block.

A final problem scenario is the ownership of the data on business computers, smartphones and other devices. Consider an employee who is terminated and demands access to their “personal files and photos” on the work computer and smartphone. What are the employee’s rights? And what about the company’s rights? What if an employee’s smartphone needs to be “wiped” or erased for a reimage and the personal files and images are erased? Is the company legally safe from accusations by the employee of destroying personal property? This is yet another serious issue that can arise when companies allow broad, undisciplined and personal use of corporate computing assets.

People, Process and Technology Solutions

The scenarios described above represent only a small part of what is really going on in today’s businesses. Also, not all Web 2.0 activity is malicious or harmful to the enterprise. Businesses should examine their policies for the use of social networking sites, Twitter and personalization of the business computer. Proactive measures can help mitigate the unintended consequences of lenient controls and oversight.

1. Have Rules – Clearly State and Enforce Them

An initial solution to the problems above is a clear, concise and effectively promulgated Appropriate Use Policy and Procedure. Your procedure must specifically define acceptable use of business computers and how they absolutely cannot be used. You need to discuss who owns the data on the device – normally that is the business, not the employee.

When drafting a policy, don’t forget these essentials:

  • Have the employee/contractor sign for receipt of the document. This may be useful later on, during any protests regarding ownership of the information.
  • Include a provision that all data on the enterprise devices is the property of the business and that such data is subject to review, assessment, oversight, etc. by the business.
  • Prohibit bypass of web security policies by users.
  • Spell out the consequences for any violations of the policy, up to and including termination.

Educate all employees on the workplace expectations for use (or non-use) of social networking sites and “tools” such as Twitter. Also, put in place a “deminimus” (at a minimum) policy that allows for some minor personal use of company computers.

2. Monitor

Using web monitoring tools, observe what your employees are doing. You will not so much as spy on their activities but understand how much they use social media. You want some objective idea of productivity, security and risk impacts. Also, by observing these practices you can best identify the players – usually a minority group – causing challenges across the whole company.

You might also pick up a few useful tips. If you see users accessing a popular tool or service by bypassing web security policies, that knowledge might allow you to better tune your technical tools and Appropriate Use procedures. You might also discover a new tool that could benefit the company’s marketing campaigns.

3. Consider Blocking Access

If your business covets particularly sensitive, proprietary information that may not be protected by trademark or copyright, recognize that unrestricted use of the social networking tools may be a major leakage path for your company. Ask yourself if allowing users to access their Facebook or MySpace page or do their webmail is worth the loss of key company data. If the answer is no, blocking the access using web filtering tools and firewall settings may be your best defense – but be prepared for employee backlash.

4. Check for Outflow of Company Information

Observe the information being posted on Facebook, Myspace, Twitter, etc. about your company. Take actions if sensitive information is posted – even if a minor event.

Conclusion

Social networking tools and websites are here to stay. You need to understand the current and potential impact on your company’s data, reputation, and legal position. Know the risks, but realize also that your company’s marketing and sales strategies may rely on these tools and sites. Strike a balance, but take a firm stance on protecting your business data.


About the Author
Ernie Hayden, Principal, 443 Security Consulting LLC, is an experienced information security professional working in the Seattle area. Ernie has broad experience as an Information Security Officer for several large critical infrastructure organizations. He can be contacted at 443consulting@gmail.com.