Security has always had the responsibility to physically protect employees and executives.
In fact, as a practice, it did this long before there were computers. In areas where there are lots of people but little oversight there is a potential for physical threat. This was recently detailed in "The Lucifer Effect," a book by Stanford psychologist Philip Zimbardo. He argues, and provides substantial support for that argument, that in certain situations normal people will develop behavior patterns that are hostile and abusive, both verbally and physically, and that this behavior can escalate to extreme levels.
Currently there is little in the way of oversight on the Web, and we have already had substantial evidence of abuse show up there. The most recent involved blogger Kathy Sierra, which forced her to cancel a trip and basically go into hiding as a result of death threats. Sierra actually named a number of the people who had attacked her online.
Earlier this week, she and Chris Locke, one of the folks she named, appeared on CNN, which showcases how much visibility this one received. What's also fascinating, and should be disturbing for those in security, are the number of posts underneath this link that condone the behavior and suggest that anyone blogging should be willing to take the related risk.
Lets be clear: Sierra was threatened with both death and rape. The risk goes beyond an employee who was threatened. The people who attacked Sierra work for someone, and we know that a lot of employees are on the Web at work. We can assume at least one of those that attacked her was likely at work when he, or she, made the attack. The ability to trace back blog browsers to an IP address and physical location is increasing. Were such activity disclosed, it could do the company a lot of damage. And the damage wouldn't be limited to just a PR problem either.
This instance clearly crosses the line into sexual harassment and would help to support a case for anyone wanting to file a hostile workplace complaint or charge someone with a hate crime. The implications for a corporation would be dire, because it could be used to demonstrate a pattern of behavior and/or showcase tolerance for this activity. Properly argued, both of those could result in relatively large settlements. Companies would have to be insane to let something like this go to court.
Finally, if a person says something like this in a blog, then the greater the likelihood that they may behave this way at work. In short, it turns them into an unacceptable physical security risk.
Worse, this kind aggression has been moving beyond people to organizations for some time. A recent case in point is Opes Prime Stockbroking, a firm that switched from Red Hat to Oracle Linux. While they haven't yet reported death threats, they apparently were overwhelmed with email and calls from folks that called them names.
As we move closer to a major election period, there will likely be increasing stories of folks attacking candidates they don't like, and a good number of these attackers will likely be at work when they do it. You can imagine how upset marketing or the CEO's office would be if a candidate were attacked or libeled by an employee while on company property. I doubt the Secret Service will have much of a sense of humor if the candidate is running for president and the threat is physical.
Such trends suggest that policies need to be updated and existing preventative measures revisited to make sure you can address both an attack against, and one originating from, your company. Consider these possible fixes:
- Strengthen and reiterate any policy that speaks to an employee attacking anyone else on company time. Typical zero-tolerance policies with regard to hostile workplace, harassment, and physical threat are sometimes unclear with regard to a victim outside the company. These should be reviewed and then the revisions communicated to the employees.
- Make equally clear to employees that this kind of activity, when done on a company asset, can be traced back to the employee. Differently stated, anonymity will crumble and penalties for non-compliance with the company policies will be swift and certain.
- Review and fortify all practices with regard to how to deal with an attack on the company, its executives, and employees. Employees should know where to report physical threats.
- Consider that, with the increasing incidence of identity theft, there's a possibility that a cyber assailant might represent himself as a company employee. This could be by simply using a name (which seems to happen to me a lot), or by stealing an entire identity which has broader implications. But with this flourishing breed of virtual impersonation, remember that folks who appear to have done something wrong may not have in fact done it, and every named executive should be the beneficiary of some sort of strong identity theft protection program.
- Finally, make sure security personnel understand the zero-tolerance policies also apply to them. I mention this because of problems with my own security staff over the years.