By Steve Nimmons

I recall (approximately 8 years ago) reading an interesting poster on social engineering at a well-known electronics company in California. The ‘wall-chart’ communicated sensible advice for dealing with unsolicited phone calls, ‘chance’ conversations and the importance of discretion when discussing corporate matters on planes, trains and automobiles. Tail gating and the ‘risk of gallantry’, the social and psychological tricks used by experienced practitioners to ‘project belonging’, the need for discretion and vigilance in public spaces and of course ‘clear desk policies’ were topics explained in concise, relevant and accessible language. Workforces across this and other enterprises were equipped to deal with the primary aspects of corporate social manipulation. In-house and industry standards shared the wisdom of primary threats, expected behaviours and above all encouraged staff training and awareness.

I visited many technology start-ups during this period. Their social engineering concerns centred on leakage of financial data and intellectual property. With looming IPO (Initial Public Offering) these companies had a lot to lose, the wrong information entering the market at the wrong time being potentially damaging to earnings. Intellectual property was naturally their core competitive differentiator and was suitably protected, including legally through patents and nondisclosure agreements. It was clear what they feared, why they feared it and that they were being proactive in terms of minimising their overall exposure to risk.

Perimeter defences with clear corporate boundaries and technological barriers primarily tamed Web1.0.

Fast-forward 8 years and with the introduction and exponential uptake of Web2.0 it is fascinating (indeed crucial) to explore the considerations for similarly intentioned advice today.

When discussing the Web2.0 revolution I emphasise the ‘practical’ removal of technological barriers to content publication. Blogs, wikis, forums, social bookmarking and social networks are a selection of means by which individuals can share and debate views (single click, no safety catch). As we discovered (or perhaps suffered) in the past few years, this medium provides ideal conditions for libel, defamation (perhaps creating internal conflict or damaging partner relationships), careless divulgence and the association of the individual and corporations with unflattering and potentially damaging material. These are arguably Web2.0’s most concerning corporate side effects. The individual is the power-broker of Web2.0 and with microblogging (particularly Twitter) tipped for ‘meteoric success’ I think we will see even less control exercised over what are essentially globally distributed sound-bytes. Pseudonyms provide anonymity, personally or corporately identifiable profiles ‘should’ engender a greater spirit of due care and present an opportunity for positive self and corporate marketing (for example blogging and thought leadership initiatives). But what needs to be understood clearly is that the search engines with their omnipresence ‘discover our sins’. The Web and blogosphere contains a cacophony of voices inside which they are the ‘great eavesdroppers and intelligence agents’. In print media, yesterday’s news wrapped today’s fish and chips, but in the electronic age opinion has an almost immortal quality. Search engines have a unique ability to ‘discover’ and neatly present information that we may prefer remained ‘hidden’.

There is an adage that Web2.0 profiles are like tattoos, something you do when you are young and live to regret. With appropriate controls, education and consideration however we can seek to accentuate the positives and in sophisticated cases utilise them in personal branding and corporate marketing strategies.

Where once scraper and ‘shill’ sites were padded with ‘pointless’ copies of the Open Directory Project (an old trick to create thousands of pages to bloat a website that was then packed with affiliate programmes and click through advertising) they are now extracting content from RSS feeds, quite a number scraping via Technorati tags that simply mirror their underlying site’s (content) taxonomy. I use Technorati tags to categorise content for improved searching and user experience. I am often ‘amused’ to see how my articles are ‘aggregated’ onto these sites totally against copyright and any sense of appropriate ownership and control. In some cases the use of such content may be beneficial (e.g. off-site advertising), but consider wisely the potential for widespread distribution of commentary. Keep in mind traditional political and broadcasting advice “treat every microphone as if it were live.” Something said is difficult to retract in Web2.0’s publishing model. This could affect personal reputation, privacy, cause corporate embarrassment or perhaps worse. Social engineers are astute, so be careful of being drawn into electronic conversations that should be avoided.

Solutions to some of these issues are emerging (e.g. online reputation protection services such as Reputation Defender, ClaimID and Naymz), suggesting the commercial and personal need for ‘digital litter cleanup’. Digital litter is all of those nuggets of information personally linked to you. Be under no illusion that the collective body of this information is being poured over by fraudsters and marketing companies and in the corporate realm by researchers and competitors. Information of course is not as volatile as might be imagined. Simply deleting it from the original source is no guarantee of its destruction, with scraper sites, search indexes and historical web caches adding to the complexity. Reputation protection may only dilute some of the problems rather than completely remove them.

We must of course accept freedom of speech and the right of fair criticism. In the Web2.0 domain our ‘complaints’ may well be beyond any reasonable bounds of control. Corporate reputation is also tightly coupled with customer satisfaction, shareholder value, innovation and similar attributes. A key addition to the advice from 2000 is therefore minimising personal and corporate risk from worldwide electronic publishing in which ‘everyone’ can act as content producers.

In conjunction with shifting the content producer to consumer ratio, Web2.0 has removed traditional corporate boundaries. In Unified Communications we talk about edgeless enterprises. Web2.0 warrants a special mention as it has ‘eroded the edge’ by (as we have seen) technological simplicity, but also radical reappraisal of the psychology of home and work. In essence the erosion is catalysed by behavioural change and personal empowerment inherent in its purpose. The ‘fear index’ of such a proposition (which is today’s reality) is dependent on factors such as workforce size, employee trust and satisfaction, and employer sophistication. Sophistication in this regard I would describe as the ability to manage the distinct threats and opportunities of the modern (and emerging) Web.

I am unsurprisingly an ardent social networking enthusiast. My collaborative technology journey began with projects in Computer Supported Co-operative Work (CSCW) research in 1993. Looking back, our vision was of a more business-oriented (less entertainment driven) outcome. It was not a world we envisaged would be plagued by the ‘unrighteous’. LinkedIn, Facebook, Plaxo, MySpace, a myriad of others and the proliferation of associated groups, today provide a rich hunting ground for the social engineer. Companies can be significantly profiled, names, departments, reporting structures; nature of business, personal links, and networks can be mined and prioritised for further attack. It presents limited challenge to comb sites for information to employ in ‘impersonation attacks’, extracting additional detail through email, telephony and other channels. With no identity management (i.e. no established trust) it is simple to create fake pages, groups and details and use these to link the unwitting. IBM’s recent announcement to create a private Second Life implementation is an interesting play to re-establish corporate boundaries (without stifling in-house collaborative and social benefits). I am opposed to blanket banning of social network access from corporate estates. Bans of this nature exhibit a glaring weakness, they end when employees are ‘off the clock’. They also restrict business benefit that could be derived from ‘appropriate use’. Understanding risk exposure, developing appropriate security policies, best practices and employee education are vital. Parental education is a recurring theme in the recent Byron Review (established in 2007 to study the online safety of children) and I draw parallels with employee and employer education in a similar vein.

Threats are ‘evolutionary’ and social engineering is enjoying an up swell in volume and quality of unsolicited, freely and legally attainable information. Reputation protection faces new challenges due to the speed of content production and distribution, a mechanism of such simplicity and attractiveness that bewildering numbers have embraced it across ‘previously untouched’ demographics. As digital footprints do not ‘melt’ I remain concerned about the long-term impacts of careless experiences in Web2.0. There is a strong case for placing the onus on site providers to better protect privacy, but personal accountability must be advocated above all.

The key points that go on my updated ‘wall-chart’ for 2008 are:

• Explaining risk exposure in terms of information leakage, libelous, defamatory or brand damaging activities that have indirect or direct association through the employee base. Public comments from identified staff being potentially detrimental to business reputation and relationships
• The need to understand and in many cases limit the volume of available corporate data on personnel, roles, responsibilities and professional activities (the social engineering gold mine)
• The expanding roles of Marketing and IT Security in meeting new threats and opportunities
• The need for ‘Web2.0 savvy’ security policies and training plans. It is no understatement that the proliferation of Web2.0 opens a sizeable number of holes in the sieve of corporate intelligence (take recent Facebook security leaks and social worms like Secret Crush as examples). Educated personnel make informed decisions and can better manage their own digital footprint as well as that of their employer. It is therefore vital for modern security training to cover the fundamental dangers of Web2.0
• The mechanics of auditing, proactive measurement and defence of online reputation. Web intelligence solutions are particularly useful but managing remedial action is still fairly undeveloped
• Explaining the opportunity to leverage personnel as a unique and highly scalable marketing entity. With appropriate selection, guidance, motivation and controls there is an exciting opportunity to use the publishing power of Web2.0 for extremely positive personal and corporate gain

It is important not to be overtaken or overrun by technological advances. I recently advised a company following the discovery of unofficial social networking groups (bedecked with company name and logo). The groups were innovative and well intentioned (if naïvely established) and such discoveries indicated corporate IT were losing touch with talented, motivated and active networkers. Establishment of editorial control and content audits were simple wins. It is however important to reflect on the potential for damage as well as the potential for gain if the same enthusiasm were harnessed through focused and ‘moderated’ corporate initiatives.

There has been a number of very interesting developments in the Web2.0 security and privacy domain over the past few months. At the end of March, IBM announced a $15.8m research grant awarded by the European Union. ‘PrimeLife’ will be a 3-year study co-ordinated by their research division in Zurich supported by 14 partners from around the world. It will seek to put control of user’s data back in user’s hands”. The extent of privacy and information leaks reached the point in April where the Israeli Defence Force (IDF) was compelled to issue a statement warning that, “Facebook was a threat to national security”. At the heart of that story was the ‘free and easy’ manner in which members of the IDF were posting personal information, identifying themselves as members of the security services, pictured at sensitive installations and discussing sensitive subjects. The problems we face are so potentially damaging that they are now ‘on the radar’ of government security services. Online advertising models deserve a full article in their own right, but I would briefly mention privacy concerns over Phorm and the highly publicised ‘Beacon disaster’ championed by an ‘unwisely zealous’ Facebook. These add an additional twist to the complex world of Web2.0 security.

My closing advice is to shape, cultivate, educate and empower your employees. Realise this by comprehending risk exposure and Web2.0’s threats. The blinkers of a ‘9 to 5’ blackout are unworthy; but above all, lose control of your employees, your personal or corporate reputation in Web2.0 at your peril.