Keeping insider information off the web
In CI we want information. Sometimes that information is not available. This can be for any number of reasons, including the fact that, from the company’s point of view, it is insider information which should be protected, and shouldn’t be available.
Sadly, many people are overly helpful and have more ego than common sense, and, in some cases, information (which they legitimately know) becomes like money burning a hole in their pocket. Even more sadly, many of these people find their way onto technical forums on the internet. Internet forums are a mixed bag. They can be extremely helpful in terms of getting information on how to do things, soliciting the opinions of others, and in getting people to share opinions and expertise. The opinions expressed need to be taken with a grain of salt, of course, as the mere presence of an opinion, or of a position forcefully stated, does not necessarily indicate real expertise.
None the less, most forums end up having a number of participants who work for companies involved in the forum’s area of interest. These people are there because the forum’s subject interests them, and because they wish to share their knowledge. This is, in fact wonderful, and can be extremely helpful for the other participants.
From a corporate point of view, however, it can be a problem. On occasion the participants become too involved in the discussions, and forget what information is confidential. They may then identify themselves publicly as working for a specific company, or, in some cases, may selectively do this in private emails.
In either case, it will often become obvious to the careful observer that some participant has expertise, and for which company he uses this expertise. Once that is established, it is not uncommon to see these participants being drawn out by questions until they are revealing — often to the public at large, facts which can only be considered protected insider information. How do you protect yourself from this? For a start, make sure your company has a written policy dealing with information given out during outside use of the internet. Second, have someone monitor the appropriate forums. Be aware that it may be best to have an outside company do this, as it can take, in our experience, somewhere between a half hour to an hour a day to monitor a handful of forums of interest. While this may or may not seem like a lot, most companies do not have the resources to allow a staff person spend an hour a day surfing the net. After a fast start, the monitoring tends to taper off. And what do you do when you discover someone who has stepped outside the bounds? You have their manager explain to them that this behavior is unacceptable because it places the company at risk, and must be stopped. Note, by the bye, that monitoring these forums allows you to do more than merely identifying information leaks. It also allows you to identify valid concerns on the part of your customer base: Concerns of which you might otherwise be unaware.
