Is your staff directory accessible online? Maybe it shouldn’t be, according to a cybersecurity expert speaking over the weekend at the ASAE Annual Meeting. The issue comes down to security—and the fact that hackers may be savvy enough to connect the dots.
Sometimes, the smallest disclosure of information can become a cybersecurity risk in the wrong hands.
And not just because your organization’s technology—whether software, hardware, or external infrastructure—has built-in security holes. Naturally, it will, and it may not be possible to avoid those problems.
But the real issue may be that your association is allowing an outsider to connect the dots, and those connections could be used in a cyberattack, a case of identity theft, or something that could be best described as the “big kill.”
ITPG’s David Kim, a cybersecurity expert who admits to being a victim of a cyberattack himself nearly a decade ago, put this issue at the center of his Sunday session at the 2017 ASAE Annual Meeting & Exposition in Toronto. He says that attacks generally happen not because of lax security standards (though certainly that’s one cause) but because hackers are adept at taking advantage of publicly available personal information and using it to dive deeper into someone’s personal data.
Kim showed examples of what this looks like in action, noting that he could garner lots of personal data on someone simply with a business card. He used this ad by Cisco to make the point:
The ad points out how a hacker can dig into publicly accessible data and use it as a conduit for a phishing attack. “They profile the human first, then they profile the spouse, then they profile the children in your family,” Kim said.
exposing the FBI Director
Real-world examples can get a bit personal—the ones Kim used probably aren’t right for a blog post—but at least one example of this kind of data collection hit the news cycle earlier this year.
They profile the human first, then they profile the spouse, then they profile the children in your family.
Back in March, reporter Ashley Feinberg (who was writing for Gizmodo but has since moved to Wired) jumped on a spare comment that former FBI Director James Comey made at this year’s Intelligence and National Security Alliance leadership dinner. Comey said that he had an Instagram account “with nine followers,” as well as a Twitter account. Both were kept under wraps, but Feinberg was able to find Comey’s Twitter account, which used the pseudonym “Reinhold Niebuhr,” the name of a Christian theologian that the then-FBI leader studied in college.
She figured this all out from a tiny piece of information: Kenyon College tagged Comey’s son, Brien, in an Instagram photo. (He played for the school’s golf team, of course.) Using a dummy Instagram account, she found a small smidgen of metadata, which apparently pinpointed Comey’s Instagram account. Soon, she was able to use this nugget of information to pinpoint a Twitter account that, beyond following various news sources, followed a handful of people Comey is known to be friends with.
It was impressive detective work—and it was probably a good thing that the detective was a journalist looking to solve a mystery, rather than a hacker looking to steal some information.
Hours after Feinberg reported her discovery, a tweet went up on the account that apparently confirmed her report and suggested she apply for the FBI. (Comey himself did not make a public statement on the matter, though the account was locked down.)
It was a good yarn and an interesting story, but you can see where this kind of approach could be misused—especially on nonpublic figures. If someone wants to use social media data in this way, they can. They just need to be observant.
About That Staff Directory …
Now where do associations come into play here? According to Kim, the problem is the public association staff directory—one of the most direct ways that an employee’s data is shared with the broader world.
Here’s the gist of the problem: Suddenly, a small data point can offer up a place for a cyberattacker to use as a starting point for a phishing attack that grabs data on Facebook, LinkedIn, and numerous other social networks.
“Your association website is going to tell me a lot of information about the employee—their title, what they look like, their mugshot, right?” he explained. “Then you go to the Facebook website, pull all their personal data—if you can.”
This, he says, can prove a gold mine for potential password theft—with dates of birth, anniversaries, and other data points often used as password fodder.
Maybe it sounds a bit extreme or out of left field, but Kim’s session—which also highlighted password security issues that could arise from the existence of publicly accessible information (if your association is focused on food, avoid food-related passwords)—noted that security is often a matter of taking advantage of edge cases.
Now, I will admit that I, as a journalist, have a stake in this debate: Having access to a staff directory makes my job easier, if, for example, I’m confirming a name or looking to do an interview. But some organizations might find that the solution here is to put the data in the hands of a comms person—and for the public, to put the data behind a membership wall.
Whatever the case, Kim’s tough words—which lean on the conservative end, suggesting that people shouldn’t even publicize their birthday—offer an important reminder to even the rank-and-file member: Cybersecurity is everyone’s job, in ways big and small.
There’s a debate to be had here around these directories. Do associations give away too much info about their employees in the name of serving members and the public?
Some folks might not agree with Kim on this, seeing the business case for making this info publicly accessible. Others may see a need for a more aggressive approach.
But either way, it’s a debate worthy of having within your own organization.