Mark Zuckerberg made headlines last year when a photo he posted on Facebook showed tape over his webcam on his laptop in the background. And an image of Steve Bannon recently made the rounds after a third-party posted a photo on his social accounts with Bannon’s whiteboard in the background. While Zuckerberg was exhibiting strong security practices and most of what people pulled from Bannon’s whiteboard were points that have already been discussed publicly, it shows that oversharing can uncover private information that you didn’t want to go public. Oversharing can also enable cyber security risks depending on the information exposed.
While it may not seem like an obvious part of security awareness and education, it’s important for infosec teams to discuss best practices on taking photos in the office, posting appropriate content on social accounts, using screen shots in presentations, and even displaying sensitive information in the office. Without intending to, items such as employee badges, product roadmaps, new hire data, sales and revenue figures, confidential client names, salaries and trade secrets can be quickly exposed. And once these details are made public, there is no making them private again.
When speaking with teams, here are some of the primary things to highlight:
Highlighting office culture on social media has become an important component of many organizations’ recruiting efforts. Security teams don’t need to discourage this practice, but rather educate employees about why it’s important to consider the content and the background in these shots. It may seem like a good idea to highlight a team brainstorm or presentation, but chances are there are some sensitive details hidden in those photos. It’s important to be diligent about protecting your customer’s confidential data as well as your own. As the popularity of social media continues to rise and more data is at our fingertips, it’s important to realize the variety of ways your information could be exposed.
Smile for the camera
According to Pew Research Center, “seven-in-ten Americans use social media to connect with one another, engage with news content, share information and entertain themselves.” This is in stark contrast to 2005, when they found only 5 percent of American adults used at least one social media platform. So you can assume at least 70 percent of your organization actively uses at least one social media account. Most of this is likely for personal use. However, the lines between our personal and professional lives continue to blur. It’s important to remind employees of what information is appropriate to share on social media about your company. Communicate these guidelines clearly and regularly so there is no confusion about what can and cannot be shared.
For your eyes only
Using whiteboards for brainstorming and planning is very common. And it’s understandable why. It provides a large space to create a visual representation of your thought process. These whiteboards are typically in common areas like conference rooms, and ultimately are visible to passing individuals. In open office environments, it can be very easy for someone to take a quick peak at information that isn’t meant for them. What’s more, with visitors cycling in and out, it can be very easy for someone to uncover confidential information without even searching for it. How many times have you walked into a meeting with leftover notes scribbled on the whiteboard from a previous group? It’s important to remind employees that a level of confidentiality exists both internally and externally. Therefore, it’s important to ensure confidential plans and schematics are not displayed in a way that leaves them open to a passing glance, and that sensitive material is erased from white boards in conference rooms when meetings conclude.
Making these items a part of your company’s standard best practices will help instill it as part of your overall culture of security. As with any security education topic, it’s important to communicate to teams on a regular basis, and to train new team members to keep the standards high for security compliance across the organization.