Corporate espionage via social networks

We’ve all heard about HBGary Federal’s COO Aaron Barr’s claims that he leveraged the information gathered on various social networks to discover the identities of Anonymous’ leaders, and about the repercussions this claim had upon the company.

In the end, we still don’t know whether Barr’s work in this case has allowed him to come to accurate conclusions regarding those identities, but what we should know is that he isn’t the only one who thought about using social networks to dig up information that might be worth a lot to someone – and I don’t mean advertisers or stalkers here.

At this years’ edition of the RSA Conference in San Francisco, Abhilash Sonwane – VP of Product Management and Technology for Cyberoam – gave an interesting talk about the possibility of using social media to map out the organizational DNA of a company.

He demonstrated that by using information gathered on LinkedIn, Facebook, Twitter and other social networks, they were able to discover who the decision makers are, how activities are coordinated and how knowledge is transferred, what objectives and incentives do the employees have and what the overall organization model is in a number of randomly selected small and medium sized companies from around the world.

According to their research, 57 percent of Fortune 500 companies engage in some form of social media activity – bulletin boards, social networking, online videos, blogging, wikis, etc. And is good they do, since these activities give them the ability to communicate individually with each member of the audience and helps them gather direct feedback that allows them to fine tune their approach and efforts.

But there’s also a downside to all of this, and that concerns the information that is prematurely shared – and especially that which wasn’t intended to be shared in the first place. “Unlike the traditional media where there are very defined and controlled inlets of information, social media is free,” explained Sonwane. “Organizations cannot control who communicates what about them and to what audience. The whole eco system of the organization is free to communicate. Employees, partners, customers, ex-employees – they all have the same resources and power available as the official spokesperson of the company.”

Knowingly or unknowingly, they occasionally misuse that power, and share what shouldn’t be shared with the public – making corporate espionage a feat that doesn’t require a lot of expertise.

To prove their point, Cyberoam researchers spent almost six months monitoring 20 companies with an active social media presence with the intention of verifying the extent to which employees and organizations can leak information and of mapping their organizational DNA.

This was their general modus operandi:

“When we started out, Facebook did not have the same privacy settings it has today, and that made things easier for us,” Sonwane shared. “But I guess that still does not make that much of a difference, since one can work around the privacy settings by using social engineering.”

The companies in question were from all over the world: eight from the USA, four from India, two from Germany, seven from the UK and couple from Singapore and Australia. They were also a mixture of PR agencies, pharmaceutical companies, banking and financial institutions, consultancies, media and entertainment companies, manufacturers and IT/tech firms.

So, what did they find out?

One of the targets was a Singapore-based multimedia company selected because of an impressive list of clients. They monitored the private Twitter accounts of the sales director, department head and various designers, and found out that employees were not getting a salary, that there were cash flow problems in the organization, that salary checks bounced and that employees were looking for new jobs.

They also discovered that the department head and the sales director have resigned, that the owner is likely to wind up the business and that the company was actually a subsidiary of another company (meaning that the decision rights resided with managers of the parent company – information that was not available on the company’s website or any other official literature).

The availability of all this information puts both the company and its employees at risk. These disclosures decreased its chances to bounce back since vendors and customers privy to that information can stop doing business with it and new employees might consider not joining the organization after all.

And current employees searching for another employment might have difficulties negotiating a good salary since prospective employers could be aware of the fact that the company is going down the drain and that its employees might be getting desperate for a new job.

While looking for information on another company, researchers discovered – through publicly available information about the employees – that the financial director was a divorcee. So, they created a dummy female profile on Facebook, befriended him and cultivated an online relationship that ended in him sharing confidential information about the company with “her”.

Similar tactics were used with all targets, and the end result was this:

• All 20 organizations monitored gave disclosure of at least one negative sentiment
• 17 organizations talked about issues internal to the organization that would not have been available otherwise
• 14 organizations disclosed the whole company profile of their organizations with information about employee demographics, business demographics and customers
• 14 disclosed information about the personal profile of the top management
• 14 disclosed information about their customers at one time or the other
• Eight organizations disclosed information confidential to their companies, financial details, prior announcement of senior management moving out, etc.

In short, the full organizational DNA of almost half of the companies was decoded, and that’s the disappointing and worrying conclusion of this experiment.

Sonwane ended his presentation with stressing how important it was for each company to be aware of this danger, and take proactive or corrective measures to minimize the risks associated with the use of social media.

“Companies must prepare and educate their employees not only about the benefits of using social computing, but also about the consequences of its misuse. This education process should involve every department in the company including the management team, human resources, legal, sales and marketing,” he concluded.