I saw a movie a while back in which a character was locked up in a prison, and he said something like, “I’m not locked in here with you; you’re locked in here with me.” We have been told for years that the insider threat is more important to address than the external threat. Part of the issue is that when we think about an external attack, we have someone on whom we can focus our energy – the wily hacker. We have a (more or less) identifiable enemy. And, the enemy is a bad guy. They want to steal our stuff. Our stuff is our valuable information, our cool data, which can be used to get access to money, or sold for money.
Our main problem with this is that we don’t really want to believe it. The idea that all of our millions of dollars worth of security measures could be undone by a file clerk making $10 an hour is pretty freakin’ scary.
Back in 1994, when my old company first got Internet access, we were worried about external exposures brought by employees accessing external sites and having access to external email. As Social Media boomed, we heard dread from the security community about how unlimited access to Social Media was going to contribute to widespread loss of internal information.
In fact, we have seen some internal information released through twitter and Facebook. Some of this has been idle gossip, and some of it genuine internal breaches. We have also seen social engineering attacks make use of social media to help gather information, and make attacks more successful. An advanced attack of an organization will likely make use of social media, at the very least to gather more information about the target. But has social media been the boon to the hacking community that we had originally been worried about? Not really. We still think about leaks of internal information, such as Private Manning’s release to WikiLeaks, which was spread via email, but social media has failed to create chaos. Obviously, if you do not have a social media policy that describes authorized uses of social media you are behind the curve. If a policy is simply not enough “control” for you, there are options to filter and monitor social media access, or you could always ban social media at work. Given the status that social media holds in a significant portion of the working population, this creates a whole new problem of attracting the proper talent to your organization. For that matter, in reaction to employee requests and applicant demand, pretty much all of the clients that I had seen ban social media in the past are now providing pretty much unfettered access.
In reality, the larger impact that social media has had on companies has probably been more in the company’s favor – using social media to assist in job screening. Most of the companies that I deal with on any regular basis do check social media. At the very least, HR departments and potential employers can use social media to help gather information about what kind of person an employee could be. Do they appear to have a culture and set of values that will fit in at the new organization? Are they revealing internal information about the current employer? Are they complaining about their current job or management? A prospective employer can learn something if they can see that an employee posts 67 updates to their Facebook page during what is supposed to be a normal work day.
Studies are problematic. It all depends on who does the study and what they want to use them for, but I have seen everything from 40% of companies to 85% of the companies surveyed review Facebook profiles to help screen applicants. Of those companies, the ranges tended to be smaller when discussing applicants who were disqualified because of what was viewed as negative information on their Facebook. About 30-35% of companies surveyed tend to say they have disqualified at least one candidate after reviewing their Facebook page. A short while ago I read about 100 applicants who had applied for an opening in a correctional institution. If my memory is correct, the institution disqualified somewhere around 85 of the applicants for negative behavior shown on their Facebook pages, including flashing gang signs. I guess that number sounds about right – somewhere on someone’s Facebook account there are pictures of about 85% of America’s college aged young adults mugging and flashing gang signs at a phone camera.
The next step has come as well. Because she used her own computer to post on her Facebook page that she “hated” a school hall monitor, a Minnesota middle school girl was forced to give up her Facebook account information. The school felt it necessary to investigate the private postings. This is an interesting issue since a 1969 Supreme Court decision gives student the right to criticize, as long as the student’s comments don’t cause a disruption on school grounds. But, is it okay for the school to get her account information and “investigate”? While the comments were made from a personal computer, after school hours, they were technically available from school grounds if someone accessed the girl’s Facebook account from school.
While I get the feeling this is not as widespread as we hear, the Internet is rampant with reports of employers asking for Facebook and other social media credentials as part of the application process. We have seen the same allegations about colleges – give up your credentials to get admitted. Technically, this is against the terms of service of the person’s Facebook account, and if you give up your account information, Facebook can suspend or terminate your account.
This is now prowling the halls of Congress as well. The House recently voted down a bill that would have allowed “Protecting the passwords of online users”. We can probably expect the bill to return through committee and possibly to the floor, especially after two US Senators have asked the U.S. Department of Justice and the Equal Employment Opportunity Commission to investigate employers asking for Facebook and other social media account information. They specifically called into question two pieces of existing federal legislation that prohibit intentional access to electronic information without proper authorization. Depending on how the law is interpreted and applied, that could make access an applicant’s information a federal crime, punishable by prison time. But, if the employer is hiring an applicant for a job, and a condition of the employment is allowing authorized access, such access is not unauthorized, so this would not be a crime, right?
I find the outrage against this somewhat interesting. Facebook, in particular has decried the practice, stating that it is an unreasonable breach of an applicant’s privacy. I think this is the same Facebook that has regularly changed security settings to less secure default settings, revealing more information and pretty effectively reducing the privacy of any subscriber. Interesting bit of hypocrisy.
By its very definition, privacy is reduced in consumers of social media. The more public you make your persona, the less private you are, and the less privacy you have. We have an entire culture of people for whom social media is the norm, and NOT using it is anathema. There clearly has to be a balance of employer use and mis-use of this information.
But, at the same time, I find myself telling my daughter – a social media junkie who is also actively job hunting – to get a grip. There is simply no chance that you will ever be able to convince me that giving up your Facebook account information is anywhere near the same level invasion of privacy as providing the urine samples that I have done for every employer I have ever had.