Article originally published by Evaluation Centre / Conspectus, Summer 2008
Steve Nimmons warns of the hidden threat to corporate privacy and online reputation lurking within Web 2.0.
The Social Engineering Problem
I recall (approximately eight years ago) reading an interesting poster on social engineering at a well-known electronics company in California. This wall-chart communicated sensible advice for dealing with unsolicited phone calls, ‘chance’ conversations and the importance of discretion when discussing corporate matters on planes, trains and automobiles.
Topics such as tail gating, the ‘risk of gallantry’, the social and psychological tricks used by experienced practitioners to project ‘belonging’, the need for discretion and vigilance in public spaces and of course ‘clear desk policies’ were explained in concise, relevant and accessible language.
In this way, workforces across this and other enterprises were equipped to deal with the primary aspects of corporate social manipulation. Using in-house and industry standards, they shared the wisdom of primary threats, expected behaviours and above all encouraged staff training and awareness.
I visited many technology start-ups during this time. Their social engineering concerns centred mainly on leakage of financial data and intellectual property. With looming IPOs (initial public offerings) these companies had a lot to lose; the wrong information entering the market at the wrong time could potentially damage earnings.
Intellectual property was naturally their core competitive differentiator and was suitably protected, including legally through patents and non-disclosure agreements. It was clear what they feared, why they feared it and that they were being proactive in terms of minimising their overall exposure to risk. Their perimeter defences, with clear corporate boundaries and technological barriers, tamed Web 1.0.
Online Reputation Management – The Problem Develops
Fast-forward eight years to the introduction and exponential uptake of Web 2.0 and it is fascinating (indeed crucial) to explore the need for similar protection and advice today. The Web 2.0 revolution essentially involves the removal of technological barriers to content publication. Blogs, wikis, forums, social bookmarking and social networks are just some of the means by which individuals can share and debate views (single click, no safety catch). This introduces new online reputation management problems, greater corporate risk and a new for more monitoring.
As we have discovered (or perhaps suffered) in the past few years, the web provides ideal conditions for libel, defamation (perhaps creating internal conflict or damaging partner relationships), careless divulgence of information and the association of the individual and corporations with unflattering and potentially damaging material. These expose both the individual and corporation to new online reputation management challenges.
These are arguably Web 2.0 ’s most concerning corporate side-effects. Worryingly, the individual is the power-broker of Web 2.0 and with microblogging (particularly Twitter) tipped for meteoric success, we will see even less control exercised over what are essentially globally distributed sound-bytes.
Pseudonyms provide anonymity, personally or corporately identifiable profiles ‘should’ engender a greater spirit of caution and present an opportunity for positive self and corporate marketing (for example, through blogging and thought leadership initiatives). But what needs to be understood clearly is that the search engines with their omnipresence discover our sins.
In print media, yesterday’s news wrapped today’s fish and chips. But in the electronic age, opinion has an almost immortal quality. Search engines have a unique ability to discover and neatly present information that we may prefer remained hidden. Meanwhile, the Web and blogosphere contain a cacophony of voices inside which they are the eavesdroppers and intelligence agents.
There is an adage that Web 2.0 profiles are like tattoos – something you do when you are young and live to regret. But with appropriate controls, education and consideration, companies can seek to accentuate the positives and in sophisticated cases utilise them in personal branding and corporate marketing strategies. Online reputation management needs careful planning, but to the skilled the benefits significantly outweigh the risks.
Online Reputation Protection – ‘Manage those Microphones’
Where once scraper and ‘shill’ sites were padded with ‘pointless’ copies of the Open Directory Project (an old trick to create thousands of pages to bloat a website that was then packed with affiliate programs and click-through advertising), they are now extracting content from RSS feeds, quite a number scraping via Technorati tags that simply mirror their underlying site’s (content) taxonomy. I use Technorati tags to categorise content for improved searching and user experience. I am often amused to see how my articles are ‘aggregated’ onto these sites totally against copyright and any sense of appropriate ownership and control. In some cases the use of such content may be beneficial (e.g. offsite advertising), but consider the potential for widespread distribution of commentary.
Keep in mind the traditional political and broadcasting advice to ‘treat every microphone as if it were live’. Something said is difficult to retract in Web 2.0 ’s publishing model. This could affect your personal reputation, privacy, cause corporate embarrassment or perhaps worse. Social engineers are astute, so be careful of being drawn into electronic conversations that should be avoided. Solutions to some of these issues are emerging – including online reputation protection services such as Reputation Defender, ClaimID and Naymz – suggesting both the commercial and personal need to clean up ‘digital litter’.
Digital litter could be damaging your online reputation
Digital litter is all those nuggets of information personally linked to you – and be under no illusion that this body of information is being pored over by fraudsters and marketing companies, and in the corporate realm by researchers and competitors. Information, of course, is not as volatile as might be imagined. Simply deleting it from the original source is no guarantee of its destruction, with scraper sites, search indexes and historical web caches adding to the complexity. Reputation protection may only dilute some of the problems rather than completely remove them. We must of course accept freedom of speech and the right of fair criticism. In the Web 2.0 domain, our ‘complaints’ may well be beyond any reasonable bounds of control.
Corporate reputation is also tightly coupled with customer satisfaction, shareholder value, innovation and similar attributes. A key addition to the advice from 2000 is therefore to minimise personal and corporate risk from a system of worldwide electronic publishing where everyone can act as content producers.
Online Reputation Management and Corporate boundaries
As well as shifting the content producer-to-consumer ratio, Web 2.0 has removed some traditional corporate boundaries. In Unified Communications we talk about edgeless enterprises. Web 2.0 warrants a special mention as it has ‘eroded the edge’ through its technological simplicity, whilst also prompting a radical reappraisal of the psychology of home and work.
LinkedIn, Facebook, Plaxo, MySpace and associated groups today provide a rich hunting ground for the social engineer. Companies can be significantly profiled. Their names, departments, reporting structures, nature of business, personal links and networks can be mined and prioritised for further attack.
It is relatively easy to comb sites for information to use in ‘impersonation attacks’, extracting additional detail through email, telephony and other channels. With no identity management (ie, no established trust) it is simple to create fake pages, groups and details and use these to link the unwitting.
I am opposed to companies blanket banning access to social networks. Bans of this nature have one glaring weakness – they end when employees go ‘off the clock’. They also restrict the business benefit that could be derived from appropriate use. It’s vital to understand your risk exposure and develop appropriate security policies, best practices and employee education.
Parental education is a recurring theme in the recent Byron Review (established in 2007 to study the online safety of children) and I draw parallels with employee and employer education. Threats are ‘evolutionary’ and social engineering is enjoying an upsurge in the volume and quality of unsolicited, freely and legally attainable information. Online reputation protection faces new challenges due to the speed of content production and distribution, a mechanism of such simplicity and attractiveness that bewildering numbers have embraced it across previously untouched demographics. There is a strong case for placing the onus on site providers to better protect privacy, but personal accountability must be advocated above all.
Online Reputation Management – Key Points
The key points that go on my updated wall-chart are:
- Explain risk exposure in terms of information leakage, and libellous, defamatory or brand-damaging activities through the employee base. Public comments from identified staff are potentially detrimental to business reputation and relationships.
- Understand and (in many cases) limit the volume of available corporate data on personnel, roles, responsibilities and professional activities – the social engineering goldmine.
- Marketing and IT security play an expanding role in meeting new threats and opportunities.
- Introduce Web 2.0 savvy security policies and training plans. It is no understatement that the proliferation of Web 2.0 opens a sizeable number of holes in the sieve of corporate intelligence (take the recent Facebook security leaks and social worms like Secret Crush as examples). Educated staff can make informed decisions and can better manage their own digital footprint as well as that of their employer. It vital is therefore for modern security training to cover the fundamental dangers of Web 2.0.
- Companies should understand the mechanics of auditing, measuring and defending their online reputation. Web intelligence solutions are particularly useful for online reputation management.
- With appropriate selection, guidance, motivation and controls, there is an opportunity to use the publishing power of Web 2.0 for extremely positive personal and corporate gain.
It is important not to be overtaken or overrun by technological advances. I recently advised a company following its discovery of some unofficial social networking groups (bedecked with company name and logo). These groups were innovative and well intentioned (if naively established) and such discoveries indicated corporate IT were losing touch with talented, motivated and active networkers. Simple editorial control and content audits were set up. It is however important to reflect on the potential for damage as well as the potential for gain if the same enthusiasm were harnessed through focused and ‘moderated’ corporate initiatives.
Information leakage has reached the point where in April 2008 the Israeli Defence Force (IDF) was compelled to issue a statement warning that “Facebook was a threat to national security”. At the heart of this was the ‘free and easy’ manner in which members of the IDF were posting personal information, identifying themselves as members of the security services, pictured at sensitive installations and discussing sensitive subjects.
In other words, the problems we face are so potentially damaging that they are now ‘on the radar’ of government security services. Online advertising models deserve an article in their own right, but I would briefly mention privacy concerns over Phorm and the highly publicised ‘Beacon disaster’ championed by an ‘unwisely zealous’ Facebook. These add an additional twist to the complex world of Web 2.0 security.
The best way to respond to these threats is to shape, cultivate, educate and empower your employees. Develop an understanding of your risk exposure and Web 2.0 ’s threats. The blinkers of a ‘9 to 5’ blackout may be unworthy – but be warned, you lose control of your employees, your personal or corporate reputation in Web 2.0 at your peril.