Blogging boggles business minds

The proliferation of Web logs, or blogs, has some information security experts concerned about the possibility of this online medium becoming a vehicle for industrial espionage.

Like e-mail and instant messaging, employee blogging poses the same risk of disclosure, inadvertently or otherwise, of sensitive corporate information when used without appropriate policies, said Don Ulsch, director of technology risk management at Jefferson Wells Inc., an audit and risk management consulting firm in Boston.

The risk is only getting higher as the number of people jumping on this online journal bandwagon continues to increase. Between 2003 and 2004, the blogging population doubled from about four million to 8.8 million, according to estimates from the Pew Research Centre in Washington.

Blogs in the workplace, however, can vary from personal to corporate. Employees can be blogging about their lives outside of the office, but occasional references to their bosses or their work may be unavoidable.

“People don’t realize that they can be socially engineered in a blog just like they can be any other scenario, they don’t expect it because they are not on guard for it,” said Ulsch.

He cited one incident involving an IT engineer working for a Web-based firm. The engineer was having trouble with the security of his company’s network and found a blog site that actually discussed the same issues he was having.

“[The IT engineer] was looking for opinions on how he might reinforce the perimeter defenses and be more resistant to hackers,” said Ulsch. After several weeks of blogging, one of the bloggers agreed to help him out. It turned out, however, that the blogger offering help was a hacker tricking the troubled engineer into divulging proprietary information about his company’s IT security architecture.

Although many companies already have some form of acceptable-use policies in place, Ulsch urged them to revisit these rules to cover areas specific to blogging.

Imposing a zero-tolerance policy may be possible, but in reality, it is difficult to enforce because not all companies have the capability to consistently monitor employee activity, said Ulsch.

He suggested implementing a “mid-level” policy where employees are encouraged to keep blogging activities at a reasonable level, without compromising productivity. Ulsch stressed that employees who choose to engage in blogging should never use their business e-mail address, as it can be a vehicle for spammers and phishers.

In addition to security risks, blogging in the workplace can also affect an organization’s state of compliance, Ulsch said. Regulated industries are typically required to maintain a record of all corporate communications, including e-mail and instant messaging.

Employee blogs in the enterprise would fall under that regulatory requirement, but few companies today may be realizing that, said the Jefferson Wells executive. “[Blogging] sort of falls between the regulatory cracks.”

Risks aside, at least one analyst is choosing to look on the bright side. “The biggest risk with regard to corporate blogs is not having one, which can result in being blindsided by competitors, customers and broader market forces,” wrote Ray Valdes, an analyst at Gartner Inc. in Stamford, Conn., in a research paper entitled, Analyze the Risks of Corporate Blogging.

Valdes pointed out that there is a “low probability” that disgruntled employees will use blogs as the primary tool of choice for intentional release of confidential corporate information. He estimates that from now through 2008, less than one per cent of deliberate disclosures of company-confidential information will be done by an individual through his or her blog.

On the positive side, blogging can provide a vehicle for getting information about the market and can be a key element in a company’s repertoire of communication channels, the Gartner analyst said.

Valdes likened management’s concerns about blogs to those expressed in the mid-1990s when companies were concerned about granting employees access to the Internet and e-mail.

“In learning to work with an unfamiliar medium for social interaction, there is always the opportunity for a faux pas, until proper etiquette is learned. Blogging will be no exception,” Valdes said.

QuickLink 061057

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now