Problem solve Get help with specific problems with your technologies, process and projects.

Does blogging pose enterprise information security risks?

Blog popularity has continued to grow, now even reaching the corporate world as an effective communications and marketing tool. Blogs carry enterprise risks, however, and few companies are taking the proper precautions. Expert Mike Chapple raises policy questions that your company should consider before operating an official corporate blog.

There's more than one way to receive Threat Monitor

Listen to this blogging tip on your computer or MP3 player.
Blogging is growing in popularity and rapidly becoming a mainstream communication tool. Even companies are jumping on the bandwagon in record numbers, as a recent American Management Association/ePolicy Institute study of 416 U.S. businesses found 8% of organizations operate official corporate blogs. That's no surprise, given some of the high-profile business blogs, such as those by Justin Rattner of Intel and John Dragoon of Novell. However, the same survey also revealed some troublesome statistics regarding corporate blogging policies or lack thereof. Specifically:
  • 9% have policies about personal blogging during business hours
  • 7% have policies covering the use and content of business blogs
  • 7% cover employee's personal blogging activity from home
  • 6% prevent personal blogging on corporate blogs
  • 5% ban blogging at work outright
  • 3% have blog retention policies

Those are somewhat shocking numbers. While blogging is a powerful marketing and communications tool, it can pose significant risks to enterprise information security when not controlled. While some of these risks are obvious, such as inadvertent (or intentional) disclosure of trade secrets and risk to a company's reputation, other risks are more nuanced. Therefore, if your company is publicly traded, blog postings should be considered in light of applicable Securities and Exchange Commission regulations, because a blog post is like any other corporate communication.

Blogging policies
What can you do to control these risks? As with many security issues, the best place to start is with policy. Here are some questions you should consider when drafting your information security policies:

  • Does your organization permit blogging? If so, are there specific approved blogs or can any employee create their own? What is the new blog approval process?
  • Do you wish to place any restrictions on employees' use of personal blogs? Are these restrictions different depending upon whether they are blogging from home or from the office?
  • Are there any specific regulatory requirements that limit what you post to your corporate blog? Do these requirements extend to employees using personal blogs?
  • What is the approval process for postings to official corporate blogs?
  • How long will records of blog content be maintained and where will they be stored?
  • Are there any specific types of content that are taboo on corporate and/or personal blogs? For example, may blogs include the names of employees or customers? Are products in development fair game for bloggers?
  • Do you require that non-official blogs carry a disclaimer that the opinions expressed in the blog are those of the blogger only and do not necessarily represent the opinions of the organization?

For more information

Get advice for creating and managing policies in our resource center.

Want to learn how to reduce blogging risks? Ask Mike for help.

Blog risks go beyond policy-related concerns as well. A recent SPI Dynamics study noted that content feeds may be used as an attack vector to exploit vulnerabilities in news reader clients. Expect to see this threat develop over the next year, and be certain to keep your blog-reading software up-to-date on vendor security patches to reduce the risk to your enterprise.

About the Author: Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was last published in September 2006

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.