Loose lips might sink ships is a propaganda idiom originated during World War II to bring awareness to the hazards that may be caused by careless talk of subject matter that could be potentially vital information to the enemy. As a US Navy veteran, I take this to heart and do my best to protect corporate data no matter how insignificant it may seem. However, social communication sites such as Facebook, Twitter and YouTube provide new avenues of personal sharing in a social context that could have considerable ramifications in a professional context.
The other day I was talking to somebody about the challenges of publicly available communication sites and concerns on how to secure professional content from being openly shared. In many cases employees use the before mentioned sites to communicate internally or externally and often times may be sharing sensitive corporate data on these sites — not with the intent of being malicious, but because it seems like the right way to share information or they want to circumvent IT placed restrictions. He then shared a story with me of a coworker that posted a simple status update to a social site, something to the affect of “Have the day off tomorrow, project on hold. Wahoo!”. Just so happens this person was on the same project and wasn’t aware it had been placed on hold, so he contacted his manager to see if in fact the project was on hold. The manager, alarmed by the question, escalated to the director who immediately questioned this person on how/where they got their information. He didn’t wish to get anybody in trouble, but was put in the precarious position of being in the middle of his co-worker/friend and upper management. As it turns out, the concern from management was justified as the client was in the early stages of a restructuring that hadn’t been announced and positions were going to be affected. Had there been a preannounce of this information (even without intent) the implications could easily have stretched into a substantial liability for the company.
There have also been countless examples of people trying to hide behind the curtain of anonymity with communication vehicles and failing miserably. Who can forget the story a couple years ago on How Not to Get a Job Via Twitter, in which somebody publicly talked about receiving a job offer, then questioned if it was worth doing a job they didn’t want for a “fatty” paycheck. More recently the story of a how the Secret Service bashes Fox News on Twitter because a user thought they were posting to a personal account demonstrates the need not only for policies, but also policy enforcement. In this case, an anonymous user sent a message under the title of Secret Service that was representative of the entire Secret Service in a less then positive way. A quick search of the web will bring up countless other stories and even more; such as calendar information being shared publicly with details such as dial-in and access codes to internal company meetings.
Customers I speak with have different ways of protecting corporate data from public sites, some turn off access to known sites, but it is difficult to scale and manage the existing and new public access sites as they appear. Others limit the types of files that may be uploaded to an outside site, these approaches may be easily circumnavigated by the technical savvy user. I believe the most effect recourse is education. Communicating documented stories of how loose lips might sink ships is a great way to drive awareness to the cause and make people think twice about the information they share publicly. There are many vehicles can use internally to spread the word-- intranet postings, e-mail, enterprise social software communities, videos, blogs, and voice mail. The greater the level of awareness, the greater the level of responsibility.
What are you doing to protect corporate data from public eyes? Most everybody will brag about having a day off, but how do you keep them from revealing to much when asked why? What are your thoughts about the separation of personal and professional social sites and how to maintain that separation for the good of the company?