It doesnt have to be a Mini-Microsoft an insider blog often critical of the Microsoft to pose problems. An enthusiastic employee whos not well-versed on corporate policy, a developer on public message boards, or even a personal blog where the employee occasionally discusses work all pose risks.
The July 2007 survey gathered 308 responses from U.S. companies with 1,000 or more employees. Forrester found that more twenty percent of those surveyed had investigated the exposure of confidential, sensitive or private information via a blog or message board posting in the past 12 months.
Security and IT professionals are just starting to wake up to blogs and message boards, said Keith Crosley, Proofpoints director of market development. The main concern is still outbound email, but these other forms of messaging and networking cant be overlooked.
Careless Employees Can Be as Dangerous as Malicious Ones
Usually, the intentions of employees arent malicious, just careless. AOLs data leak of last summer provides a case in point. AOL posted information relating to search queries on its now defunct research site, violating the privacy of 658,000 subscribers. While AOL tried to protect users identities, replacing user names with numbers, it was relatively easy to figure out who a large number of these people were because they often searched for themselves, their family and friends, and things in their neighborhoods.
AOL certainly wasnt malicious, just incredibly careless. AOL figured that this information would be useful to researchers, and they certainly didnt intend to violate customers privacy. They just didnt think things through, leading to a huge scandal, plenty of public humiliation, the loss of a number of customers, lawsuits, and the firing of three employees, including its CTO.
According to G. Oliver Young, an analyst with Forrester Research, the time to start worrying about content control is even before an employee enters the company. If job candidates have questionable content on their MySpace or Facebook pages, it should raise flags, he said. Its common now for employers to check those sites before a person is even offered an interview.
According to Proofpoints Crosley, the scope of the problem is much larger than most people realize. For every high-profile data-leak event, there are probably hundreds of smaller ones, he said. These arent publicized. Theyre handled internally, and the result is often a termination.
When H.R. starts looking at an employees online behavior, its serious, Crosley said. In the past, employees worried about organizations nitpicking about their browsing habits. After all, as work bleeds into the personal lives of knowledge workers, many argue that its perfectly reasonable to do some personal business during work hours. Similarly, the stress of knowledge jobs makes it equally acceptable to take a ten minute break where you check, say, sports scores.