A Cautionary Tale of Third Party Disclosure
Weâ€™re all guilty of it. The conversation at the table next to you in the fancy restaurant is sounding interesting and as youâ€™re sitting nearby, you can overhear the people as they talk. Sometimes itâ€™s innocuous tidbits of family life, other times itâ€™s more important information, like say, two bank employees discussing network IP addresses, or what type of configuration theyâ€™re going to propose for the new firewall. If you were not the upstanding citizen and information security professional with a high ethical standard, you could possibly share that information with your friends in a chat room, or post it on your blog.
As we all continue to blur the lines between work and personal life, dragging home laptops and blackberries and doing business as we commute back and forth each day, itâ€™s almost surprising that more of us are not ending up in the blogosphere or on Internet chat forums or on MySpace, and then are known as â€œthe employee who talked in public,â€ says one information security expert.
Third party disclosure is a troubling thought to Dr. Terry Gudaitis, Director of Cyber Intelligence at Cyveillance, and sheâ€™s worried that it will continue to proliferate. â€œThe rise of third party disclosure is usually accidental, either through a spouse, a child, a waiter at your favorite restaurant, or the guy next to you on the train or plane overhears or sees some confidential information, and then this information finds its way onto a blog.â€
Gudaitis related her personal eavesdropping train ride from Boston to New York one morning. â€œBy the end of the ride, I could tell you who the person was, what bank they worked for, their office number, email address, home phone number, a partial bank account number, and much more sensitive information on the work this chatterbox was doing for his bank.â€ She added if she was one of those third party disclosers, â€œThis is the kind of information I would want to post. Itâ€™s just astounding what you can overhear.â€
Of course, there has always been the eavesdropper, the local gossip, the person that knows everything that is going on in the area. â€œBut in the age of the internet, this area becomes much wider, and the eavesdropper who overhears the information on a business deal suddenly has the worldâ€™s ear, not just the one or two people they know in town,â€ she added. â€œNow all of a sudden everyone can see it.â€
She cautioned financial institutions to be monitoring what is being said about their institution on the Internet. â€œSome of the things Iâ€™ve seen on the Internet include a father is overheard on a phone conversation by his childâ€™s friend, and the father is talking about a company merger that is planned, and the childâ€™s friend turns around and posts that on their page on Myspace.com, and this kind of information travels very fast.â€ This is the kind of information that can delay or postpone, or stop a merger from happening, she noted.
Previously, before the Internet came along, â€œthat kind of information wouldnâ€™t have made it out of the household or the backyard. At the most it may have swept through a small social network and stopped at the second person it was shared with,â€ she added. With the Internet this kind of information has the ability to have much more impact, even affecting the success of that acquisition, or stock price, or future of a company.
â€œWhatever the discussion, they are being picked up; people are dragging their work with them, and the work world is leaking into the personal one. On that train ride I literally could have had a companyâ€™s entire customer list, based on the calls that one rider made. The guy was going down the companyâ€™s customer list; had I been a competitor of this company, that kind of information would be very valuable to me. So I donâ€™t have to pretext, I could just sit next to them on the train and shoulder surf and eavesdrop.â€
She ended her cautionary tale with a question, â€œDo you really know who is listening to your conversation, or looking over your shoulder in public? And more importantly, would they be able to hear or see information that is non-public or sensitive to your institution?â€