This case study looks at the possible implications of posting a lot of personal information online. Themes covered, include:
- risks of social media
- aggregation of information online and how it can be used.
Scenario – what happened
Craig is a TOP SECRET clearance holder working for government who travels extensively for work.
Craig is an enthusiastic user of social media tools Twitter, Instagram, LinkedIn and Facebook.
He received a briefing when he first started his job that stressed the importance of not putting protectively marked content online, guidelines that Craig has followed to the letter.
Craig’s Facebook profile is set up for friends only, but he has a few profile pictures and some basic biographical information (date of birth, occupation, his employer and hobbies) available to the public.
He has two Twitter accounts. One is an official account used to represent his professional self. The other is a private account Craig uses to tweet his location to friends and family as he travels to conferences and negotiations overseas.
Both accounts are linked to Craig’s private Gmail account. Craig has never posted a protectively marked photograph on Instagram but he often uploads photos of the conference attendees, colleagues and foreign delegates he meets.
None of Craig’s online information is protectively marked or inherently harmful when seen in isolation. However, when Craig’s information is aggregated, it could be used by anyone online to figure out his employer, the nature of his work, his professional and personal contacts, his hobbies and the likelihood of him having access to protectively marked information.
Lessons learned – what should have happened
Craig’s agency made a couple of important oversights in this scenario.
The agency should have:
- ensured Craig was aware of his individual responsibility to maintain security awareness
As part of their security education requirements, agencies should ensure that employees accept their individual responsibilities to maintain security alertness and protect official or government information. This responsibility extends into their personal and daily life.
The agency should have:
- discouraged Craig from excessively posting personal information online
Posting excessive and specific personal information online should be avoided by government employees, as it poses a security risk:
- it identifies who the employee is and who they work for
- it provides a resource for spear phishing*
- it provides an opportunity for recruitment as an intelligence source by a foreign intelligence adversary.
*the practice of sending targeting emails to recipients that are tailored to their likes, hobbies and/or background in an effort to allure the recipient into opening an attachment or into clicking a hyperlink which installs and executes malware.
Although non-protectively marked information posted online can appear benign when seen in isolation, it has the potential that when collected in aggregation, along with other information, to have a considerable impact on security.
Employees working for government, especially those in possession of a national security clearance, should take care to post as little personal information about themselves as possible.
They should avoid making public:
- their employer
- their residential contact information
- their hobbies, likes and interests
- their biometric information such as full date of birth
- compromising photos.
Agencies must also ensure employees are made aware that they must not post protectively marked information on the internet.
See also the New Zealand Information Security Manual.