The Ashimmy Blog

Last week I wrote about an article by Bill Brenner over at SearchSecurity. It mentioned how Don Ulsch thought that personal blogging from work or mobile platforms could be "very bad".  Don was nice enough to take the time and write me over the weekend to further clarify what he meant. Don was not advocating that we ban personal blogging from work or mobile platforms, he sees that blogging has some redeeming characteristics.  What Don was trying to get across is that enterprises have to put clear blogging guidelines and policies in place.  He says it is necessary to keep employees from falling victim to social engineering scams that have them unwittingly leak confidential information.  Also, in case there is a case of an employee leaking information or doing something else, it is clearly spelled out what the companies position is. Don also acknowledges that the case cited in the Brenner article about DuPont really did have nothing to do with blogging, but with an employee with access and a mobile device.  Don did mention to me other cases where blogging has gotten an employee in trouble though.

The issue of corporate blogging policies is one that is being confronted by organizations across the board today.  Over at the Security Catalyst Forum (the Catalyst Forum and community is a great resource for lots of security advice) there is a great thread on this topic with some real world examples and advice on the subject. Here at StillSecure, we have had the conversation ourselves about how to limit liability and potential harm to the company, while still giving everyone a right to express themselves.  We have come up with some loose guidelines that we follow.  However, I am a big believer in common sense.  No matter what is written in a policy, employees need to exercise common sense when posting in public.  Blogging is just the latest incarnation. Before that it was bulletin and message boards, before that something else.  There is no substitute for common sense in any of these mediums.  If something you are going to say would disclose information about your company which should not be disclosed or would potentially harm your employer, you would think a good employee would exercise caution.  Nevertheless, I guess it is a good idea to have some policy in place for people to guide them.

That being said, I do not believe that Don's sinister view of cybergangs monitoring and running blogs for evil purposes is anything more than a very, very small percentage of blogging.  Also, with so much to say on the topic, Don really should blog. It may prove to be a great exercise in education and perhaps we can all learn.

StillSecure, After All These Years: Don Ulsch, keep the FUD to yourself