Revealing employer’s clients is going too far

In previous blogs, ‘how much information is too much’ was discussed in detail along with how callers can compromise the supply chain with an inappropriate discussion which crosses lines. This article is a follow-up with more detailed examples for further clarity, and more within the context of how much information to include on professional profiles.

There will be a tendency to use details of employer’s clients to bolster your profile, but the message is clear, if you are willing to use your employer’s clients now to find a new job, you will most likely use your new employer’s clients in the future. This problem is significant in IT and is undoubtedly an issue in IT security. Here are some non-IT examples for illustration:  

  • Taxi Driver – if someone was a taxi driver for five years and they were applying for a new job, an employer would expect them to state the dates they were a taxi driver, and either the name of the taxi firm or that they were a self-employed taxi driver. Nobody would expect a taxi driver list clients or journeys. Doing so would neither be practical nor appropriate. A taxi driver is unlikely to do this, but it does illustrate the point.
  • Recruitment Agent – a similar example, an employer would not expect a recruiter to provide details of companies for which they recruit or people they have helped find work. Start date and end date is sufficient along with details of the job, such as specific domains of expertise. Willingness to disclose current employer’s clients illustrates the likelihood of revealing future employer’s clients.
  • A burglar alarm installer would not list where they installed specific types of alarm systems
  • Solicitors would not list their clients but would name the firm as their employer

Contracts of employment include confidentiality clauses, and separate non-disclosure agreements are often required.

Observing confidentiality in public

The saying ‘Loose lips sink ships’ was displayed prominently on posters during the second world war to advise military personnel and others to avoid chatter involving information that could be used by the enemy. A key question is to what extent does this apply now that mobile technology is everywhere. Undertaking 100% of professional work inside an office is a thing of the past; people work from any location including trains, aeroplanes and more commonly now in coffee shops. External observers can take advantage of the information on laptop screens, handwritten notes and discussions between people.

Earlier this year in London, while sitting in a coffee shop, I was close enough to overhear a conversation about a security incident. Sound travels, and without any real effort to listen or intention to earwig, it was apparent what these men were talking about and were concerned that a data breach may have occurred. Initially, the information could have been about any company, anywhere or any system. It could have been about their employer or one of their employer’s client’s systems. The details here have been left intentionally vague, but the conversation didn’t end there:

  • Clients won’t be happy – such a reference indicated that a data breach could have occurred with one of their internal systems involving their customer data, rather than a system belonging to one of their clients.
  • Branded stationery – overhearing a conversation was one thing but getting up for a coffee refill made corporate stationery visible without any effort or intention to spy; everything was in my face as I walked past them.
  • Laptop screensaver – companies often give away corporate stationery to clients for marketing and brand awareness. Therefore it was not a given that these individuals worked for the company whose branded pens were visible but returning to my seat and noticing a corporate screensaver on one of the laptops advertising the business was additional confirmation.
  • Identified vulnerability – the discussion overheard was sufficient for me to understand the nature of the issue and how someone would exploit it.

How to use this information requires little imagination.

Several years ago, I overheard two people discussing their wills over dinner in a restaurant and how they needed to get them replaced due to changes in circumstances. Shortly after, when a neighbouring couple was ready to leave, the man approached them and said, ‘Sorry, I couldn’t help overhear you mention that you needed new wills. Here is my business card. Give me a call’. This example is innocuous; however, depending on the context, the consequences could be quite severe, such as revealing information that could influence the stock market.

Thoughts include:

  • Avoid discussing sensitive issues in public.
  • Avoid using names of companies in the discussion. Using alternatives such as ‘we’ and ‘the client’ will often be more than sufficient.
  • Use anonymous tagging of corporate laptops so that nothing on the outside identifies ownership if it is lost or stolen. The value of the data on laptop computers will depend on the owner, and effort is less likely to be expended if ownership is unknown.
  • Remove visible branding from the operating system, so if it is lost or stolen, and someone turns on the laptop, it is not possible to identify the owner. More challenging than it sounds if the network domain name and the company name are the same.
  • Using BitLocker Device Encryption (Windows Vista through to Windows 10) with a boot-up password will prevent the operating system from loading until you enter the correct password. An unauthorised user won’t be able to identify corporate ownership.

Being security conscious in public places is essential. Almost every time I have coffee somewhere, I hear something which someone could use for malicious purposes.

Copycat Services

Websites are still offering copycat-services in place of official services provided by government departments and local authorities. The difference is, the copycat-service is more expensive, not always legal, and seldom offers any added value above and beyond the official services available. Authorities have made a significant effort over several years to address this issue, but new services and sites continue to emerge.

These types of copycat-services are different to services delivered through trademark infringement and passing off, as the genuine services are still needed to provide the service required by the customer. E.g. with a passport application, the copycat-service would not make and deliver the physical passport but would act as an expensive intermediary. Instead of the customer paying £50 and applying directly, the copycat service could charge £100 and process the application on behalf of the customer; making a healthy profit from every transaction.

It is also necessary to consider the quantity of personal information required to make such applications, data held by the service provider, which has the potential to create a whole world of pain.

Copycat-services should not be confused with added value services such as the post office check and send service, where application forms are reviewed by post office staff before being sent to HM Passport Office for processing. The post office advertised this service as an added extra and applicants can make an informed choice. Visa agents work in this way also by offering similar added value services such as making sure all the paperwork is in order, or by visiting the consulate to process paperwork on behalf of customers. With copycat-services, the service providers manipulate customers into believing they are using a genuine service.

UK Government services have domain names which end with ‘.gov.uk’ and do not use paid advertising with links to the sites. Visit https://www.gov.uk for details of all available services. The following are samples of direct links.