Not long ago, an article featured in the Age recounting how LinkedIn was used to crack a case of insider trading. This points out how exposed social media users have become. Obviously, in this instance, using social media led to a positive outcome, namely identifying illegal trading activities. However, there are a lot of scenarios where social media can be used to cause more harm than good. It is undeniable that social media today have become a mundane technology. While there has been some debate on how to exactly define it, a mundane technology in general is a technology that has been adopted, trusted and used by users in everyday life on a regular basis (Bury et al. 2010).One of the issues with mundane technologies is that they tend to become “invisible”, in a sense that we use them without, in most cases, considering the consequences.

Fingerprint

Information leakage via social media is becoming a common problem. In some cases, this leakage is intentional. This occurs when an employee willingly posts company secrets on their social media profile. In other cases, the leakage is unintentional. This occurs when an employee inadvertently posts information that can be used to infer company secrets. Usually, unintentional leakage happens by aggregating more than one post, sometimes across different social media platforms!

Consider the following scenario: Bob is a manager at one of the big accounting firms in the country. Alice, a very good friend of Bob, is a manager at a very well-known supermarket chain. Alice’s company uses an accounting firm, run by Malory, whose contract is about to expire. Alice organises an informal meeting with Bob, over a coffee, to discuss the possibility of Bob’s company taking over accounting. Between catching up, discussing the new opportunity, and waiting for their coffees, Alice tweets:

“Having a coffee with @Bob, I can’t believe it’s been THAT long! #coffee #friends ”

After they finish their coffees, Alice and Bob both get back to work. Upon arriving to his desk, Bob opens his LinkedIn account and posts:

“A very productive day at work today, caught up with a dear friend and I can see a new account in sight – very happy!”

MouseAndKey

Malory has been looking after Alice’s business for 10 years and has been trying to get in touch with her to draft a new contract. From his point of view, it is business as usual. After all, Alice’s company has been using his services for a very long time and they built a very good relationship over the years. However, Alice has been stalling the negotiations and Malory starts to doubt that there might be something wrong. Therefore, he turns to Google and types Alice’s full name. While browsing the results, he comes across her Twitter account and starts reading her tweets. He finds the tweet she made on the day she met with Bob. Intrigued, Malory looks up Bob. He comes across his LinkedIn account and finds out that Bob also works for an accounting firm. Malory becomes more suspicious. Malory starts browsing Bob’s profile and comes across Bob’s status update on the day he met with Alice. Malory puts 2 and 2 together and realises that Alice’s company will potentially not be renewing his contract. Armed with this information, Malory can now use it as leverage.

The previous scenario is obviously not ideal. However, it shows that it is possible for employees to divulge company secrets without even realising it. So what can be

done to limit unintentional information leakage?

A study by the University of Melbourne (Molok, Chang & Ahmad 2010) proposes three solutions:

1.       Develop an information security policy that specifies the rules of the acceptable use of social media and defines which information is classified and which isn’t.

2.       Educate and train your employees. It might seem obvious, but unless you make your employees explicitly aware of the risks of using social media in the workplace you can never be sure that information leakage won’t occur.  Educating your employees ensures that they understand their information security responsibilities, organisational policies, and proper use of IT resources entrusted to them. Additionally, it increases employees’ perceptions of vulnerability and severity of information security threats and subsequently minimises accidental security breaches.

3.       Invest in preventative security systems. These systems will allow your company to encrypt its confidential information, implement access controls to classified information, and monitor and block employee postings on social media.

If Bob’s company had applied one of the measures discussed above, the potential deal between Bob’s and Alice’s company would’ve stayed a secret until Alice’s company was ready to divulge this information to Malory.

 

References:

Bury, S., Ishmael, J., Race, N.J. & Smith, P. 2010, ‘Designing for social interaction with mundane technologies: issues of security and trust’, Personal Ubiquitous Comput., vol. 14, no. 3, pp. 227-36.

Molok, N.N.A., Chang, S. & Ahmad, A. 2010, ‘Information leakage through online social networking: Opening the doorway for advanced persistence threats’.