This article can also be found in the Premium Editorial Download "Information Security magazine: Improving your network security strategy in a recession."
Download it now to read this article plus other related content.
Are employees blogging corporate secrets? It's not an unreasonable fear, actually. People have always talked about work to their friends. It's human nature for people to talk about what's going on in their lives, and work is a lot of most people's lives. Historically, organizations generally didn't care very much. The conversations were intimate and ephemeral, so the risk was small. Unless you worked for the military with actual national secrets, no one worried about it very much.
What has changed is the nature of how we interact with our friends. We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work we're doing. What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity. A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees' online activities. It's no wonder some organizations are nervous.
So yes, organizations should be concerned about employees leaking corporate secrets on social networking sites. And, as much as I hate to admit it, disciplinary action against employees who reveal too much in public is probably in order. But actually policing employees is almost certainly more expensive and more trouble than it's worth. And when an organization catches an employee being a bit too chatty about work details, it should be as forgiving as possible.
That's because this sort of openness is the future of work, and the organizations that get used to it or--even better--embrace it, are going to do better in the long run than organizations that futilely try to fight it.
The Internet is the greatest generation gap since rock and roll, and what we're seeing here is one particular skirmish across that gap. The younger generation, used to spending a lot of its life in public, clashes with an older generation in charge of a corporate culture that presumes a greater degree of discretion and greater level of control.
There are two things that are always true about generation gaps. The first is that the elder generation is always right about the problems that will result from whatever new/different/bad thing the younger generation is doing. And the second is that the younger generation is always right that whatever they're doing will become the new normal. These things have to be true; the older generation understands the problems better, but they're the ones who fade away and die.
Living an increasingly public life on social networking sites is the new normal. More corporate--and government--transparency is becoming the new normal. CEOs who blog aren't yet the new normal, but will be eventually. And then what will corporate secrecy look like? Organizations will still have secrets, of course, but they will be more public and more open about what they're doing and what they're thinking of doing. It'll be different than it is now, but it most likely won't be any worse.
Today isn't that day yet, which is why it's still proper for organizations to worry about loose fingers uploading corporate secrets. But the sooner an organization can adapt to this new normal and figure out how to be successful within it, the better it will survive these transitions. In the near term, it will be more likely to attract the next-generation talent it needs to figure out how to thrive. In the long term...well, we don't know what it will mean yet.
Same with blocking those sites; yes, they're enormous time-wasters. But if an organization has a problem with employee productivity, they're not going to solve it by censoring Internet access. Focus on the actual problem, and don't waste time on the particulars of how the problem manifests itself.
Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit Schneier.com.
COUNTERPOINT by MARCUS RANUM
It seems to me that everyone rushes to blame the new-whatever for problems that they should have already known about and understood for a long time. Keeping information confidential or secret has always been difficult, and I really doubt new technology changes the situation a great deal. It seems less a matter of worrying about employees blogging secrets than simply having stupid employees. My experience is that a stupid employee is a curse that keeps hurting an organization vastly out of proportion to any other contribution he or she might make. There's probably nothing new or different about that, either.
Whenever I hear someone complaining about how difficult it is to keep information from leaking, I immediately think about the secrecy Apple has managed to maintain surrounding some of the devices it has produced. Clearly, it's possible to build a complex piece of electronics, with contractual relationships and sourcing arrangements all over the world, and not have the design be leaked months ahead of time. So my suspicion, when people are complaining about information leakage, is simply that they haven't taken it seriously and are complaining about the horse having left an unlocked barn. That's an extremely common practice in corporations; sure, it's reasonable to blame the employee who blurted out a secret on his blog--but ultimately I see these problems as symptomatic of poor management and bad hiring choices more than anything else.
In other columns, I've criticized security training as largely ineffective, but this is one place where establishing an organizational culture of security really is critical. How is it that the people who are designing and building iPods can keep a secret, while researchers at labs such as Los Alamos can e-mail design information about nuclear weapons in the clear. It's a matter of having a shared sense of purpose and, perhaps, technological support where necessary.
Mostly, though, it's not a technical problem--management has to, as it were, manage people. Too much of the time, managers are behind the technology power curve and abrogate their responsibility to understand what employees are doing. I worked at one company where, out of curiosity, I checked firewall logs and discovered that about 20 percent of the engineering staff was spending 90 percent of its time arguing on Slashdot. Never mind information leakage--that's just plain dysfunction.
I don't know how much industrial espionage actually goes on, but it seems as if the traditional methods are effective: if you want to know what your competitors are doing, talk to their customers, hire people who used to work for them, or get advance copies of product literature from their resellers and business partners. I've been involved in a couple of situations where I worked for one security company, and would get résumés from people who worked at our closest competitor.
Employees are going to think about a competitor as a possible place to work simply because they have experience in that market or technology, and the experience might translate into a decent position. If someone were trying to deliberately spy on a target, would it really be worth all the bother of wading through MySpace pages and collating résumés? I'd bet that hiring an ex-employee would be a whole lot simpler. Admittedly, I am biased: the sheer amount of banner ads and goofy marketing on social networking sites makes them unbearably slow and noisy. Trying to learn anything useful from them would painful--extremely so.
I really have to disagree with you about CEOs blogging useful stuff and that "open" is becoming the new way of doing business. That's all just marketing crud; I have yet to see a CEO give away anything interesting in a blog that wasn't carefully choreographed (and I suspect most CEO blogs are actually written by someone in the marketing department). While "open" is the big deal right now, I think it's largely just appearance. Our theoretical modern industrial spy would have to wade through press releases masquerading as blog entries, as well as "here are 400 pictures of me and my puppy" on blogging sites.
Sure, information leakage is a problem, but it makes more sense to be worried about information being targeted and pulled than it does information being posted by employees.
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit Ranum.com.
This was first published in February 2009