The proliferation of weblogs, or blogs, has some information security experts concerned about the possibility of this online medium becoming a vehicle for industrial espionage.
Like e-mail and instant messaging, employee blogging poses risks of disclosure (inadvertent or otherwise) of sensitive corporate information when used without appropriate policies. And that risk is increasing as the number of people jumping on this online journal bandwagon continues to increase. Between 2003 and 2004, the blogging population doubled from about 4 million to 8.8 million, according to analysts’ estimates.
Wild West
The blogging world is, virtually by definition, difficult to define and describe. An employee may blog about his pet hamster – or he may write detailed technical papers that could potentially expose valuable data to competitors, or even hostile nations.
Even when employees blog primarily about their lives outside the office, occasional references to their bosses or their work may be unavoidable.
And people don’t realize that they can be socially engineered in a blog just as they can in any other scenario, experts say. For example, in one incident, an IT engineer working for a Web-based firm was having trouble with the security of his company’s network and found a blog site that actually discussed the same issues he was having.
In an effort to improve matters, the engineer used a blog to seek opinions on how he might reinforce the perimeter defenses and be more resistant to hackers. After several weeks of this blogging, one reader agreed to help him out. It turned out, however, that the blogger offering help was a hacker tricking the troubled engineer into divulging proprietary information about his company’s IT security architecture.
© National Security Institute, Inc.