The proliferation of Web logs, or blogs, has some information security experts concerned about the possibility of this online medium becoming a vehicle for industrial espionage.
Like e-mail and instant messaging, employee blogging poses the same risk of disclosure, inadvertently or otherwise, of sensitive corporate information when used without appropriate policies, said Don Ulsch, director of technology risk management at Jefferson Wells Inc., an audit and risk management consulting firm in Boston.
The risk is only getting higher as the number of people jumping on this online journal bandwagon continues to increase. Between 2003 and 2004, the blogging population doubled from about four million to 8.8 million, according to estimates from the Pew Research Centre in Washington.
Blogs in the workplace, however, can vary from personal to corporate. Employees can be blogging about their lives outside of the office, but occasional references to their bosses or their work may be unavoidable.
“People don’t realize that they can be socially engineered in a blog just like they can be any other scenario, they don’t expect it because they are not on guard for it,” said Ulsch.
He cited one incident involving an IT engineer working for a Web-based firm. The engineer was having trouble with the security of his company’s network and found a blog site that actually discussed the same issues he was having.
“[The IT engineer] was looking for opinions on how he might reinforce the perimeter defenses and be more resistant to hackers,” said Ulsch. After several weeks of blogging, one of the bloggers agreed to help him out. It turned out, however, that the blogger offering help was a hacker tricking the troubled engineer into divulging proprietary information about his company’s IT security architecture.
Although many companies already have some form of acceptable-use policies in place, Ulsch urged them to revisit these rules to cover areas specific to blogging.
Imposing a zero-tolerance policy may be possible, but in reality, it is difficult to enforce because not all companies have the capability to consistently monitor employee activity, said Ulsch.
He suggested implementing a “mid-level” policy where employees are encouraged to keep blogging activities at a reasonable level, without compromising productivity. Ulsch stressed that employees who choose to engage in blogging should never use their business e-mail address, as it can be a vehicle for spammers and phishers.
In addition to security risks, blogging in the workplace can also affect an organization’s state of compliance, Ulsch said. Regulated industries are typically required to maintain a record of all corporate communications, including e-mail and instant messaging.
Employee blogs in the enterprise would fall under that regulatory requirement, but few companies today may be realizing that, said the Jefferson Wells executive. “[Blogging] sort of falls between the regulatory cracks.”
Risks aside, at least one analyst is choosing to look on the bright side. “The biggest risk with regard to corporate blogs is not having one, which can result in being blindsided by competitors, customers and broader market forces,” wrote Ray Valdes, an analyst at Gartner Inc. in Stamford, Conn., in a research paper entitled, Analyze the Risks of Corporate Blogging.
Valdes pointed out that there is a “low probability” that disgruntled employees will use blogs as the primary tool of choice for intentional release of confidential corporate information. He estimates that from now through 2008, less than one per cent of deliberate disclosures of company-confidential information will be done by an individual through his or her blog.
On the positive side, blogging can provide a vehicle for getting information about the market and can be a key element in a company’s repertoire of communication channels, the Gartner analyst said.
Valdes likened management’s concerns about blogs to those expressed in the mid-1990s when companies were concerned about granting employees access to the Internet and e-mail.
“In learning to work with an unfamiliar medium for social interaction, there is always the opportunity for a faux pas, until proper etiquette is learned. Blogging will be no exception,” Valdes said.