This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).
Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.
Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:
- Incident notification and specific response procedures covering these kinds of incident;
- Response procedures include 'damage limitation' using legal actions (e.g. those disclaimers and Non Disclosure Agreeand Public Relations (e.g. stock press releases ready to issue);
- "Learning the lessons" which means using incidents (particularly those suffered by the organization but also its peers and others in the public domain) as case studies and training materials;
- Disciplinary procedures taking account of incidents of this nature, typically using examples.
[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]