Such activities illustrate how important it is for companies to keep close tabs on what their workers are doing on corporate devices, Don Ulsch, technology risk management director in the Boston office of Jefferson Wells International Inc., told security executives during a lunchtime presentation on emerging threats Wednesday.
"Many people blog from work and mobile platforms and that's very bad," he said. "Blogs are one of the bad guys' tools."
He noted there are approximately 100 million blogs across cyberspace and many of them are used by organized criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages, he said.
"They can analyze millions of messages and use what they find -- trade secrets, for example -- for hostile purposes," he said.
Over time, he said, online thieves can take seemingly unimportant details from those blog messages and piece them together in a way that allows them to see the big picture of what a company may be up to.
Ulsch said companies need to start taking the blogging phenomenon more seriously from a security perspective, and that a good starting point is to put a blog restriction policy in place.
"Employees must be told they can't use work email extensions for activities like this," he said. "If they have to blog, make them use an alias email address, communicate the risks and monitor for compliance."
Ulsch used the recent DuPont case as an example of what can happen when companies don't pay attention to what their employees are doing.
In that case, former DuPont senior chemist Gary Min stole approximately $400 million worth of information from the company and attempted to leak it to a third party.
Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI. He eventually pleaded guilty to the crime and he is expected to be sentenced soon. He faces up to a decade in prison and a $250,000 fine.
"He was doing things DuPont should have seen as red flags, like downloading 22,000 abstracts and documents from the secure DuPont database," Ulsch said. "He was doing this 15 to 20 hours at a time. Had the company better understood the trust but verify concept, this might not have happened."
Ulsch said the proliferation of mobile technology among employees is increasing the likelihood that something bad will happen to the companies they work for. The bad guys are more likely to exploit employee activities like blogging to get at company secrets, and more data breaches are likely to result from the loss or theft of mobile devices.
"You're looking at a greater distribution of targeted information and there isn't as much monitoring of mobile devices because it's a lot more difficult than monitoring office-based PCs and servers," he said. "People are also less likely to observe company security policies and procedures when they're outside the office, and it's more difficult for employees to observe risky behavior among their colleagues when they're not there."