The Internet and Social Media have rapidly become indispensable tools for networking, productivity, and information gathering and sharing as used by people from all ages, stages in life or work, and nations.
What is Social Media?
Having developed to fulfill the above roles, resulting online communities of avid users have developed into global multilingual, multicultural, and multidisciplinary social mediums (plural “media”) for:
Creativity (web pages, youtube, hulu, flickr, picasa, interactive sites, shareware);
Collaboration (intranets, wikipedia, second life, dropbox, you send it, whatsapp);
Commentary (wikis, intranets, blogs, pinterest, RSS feeds, newsgroups, news and articles);
Commerce (listservs, monster, ebay, craigslist, angie’s list, amazon, tremor video, directories);
Connection (email, text, twitter, facebook, myspace, dating sites, instagram, linkedin); and
Cloud applications (software, infrastructure, platform, security, and other “as a service” offerings in some or all the above, eGovernance, and public, private, and hybrid clouds;
and many other distinct offerings and versions for such online community activities now known and/or yet to become well known. In sum, however, these are all mediums or platforms and utilities through which people, being social, may responsibly interact in a way that “enriches” society.
Why should its use be governed?
Responsible and proper use of the Internet and Social Media “E.N.R.I.C.H.E.S.” our society; i,e, it:
Educates,
Negates falsehoods, and both enables and enhances
Relationships,
Introductions,
Commerce,
Help and assistance and self-help,
Expression, and
Social and national security.
However, as with most if not all things, there is a potential downside to online community participation. Businesses with employees and contractors all need to ensure that their workers are not getting themselves and their employer (or principal in the case of agents), into legal problems or embarrassing situations as a result of their online activities. As a result, employers should develop and enforce robust social media usage policies that more closely address the unique qualities of these online communities, as online communities (site terms of use, internal employee policies, and generalized rules), and not just the generic “social media”. One way to do this is to divide the policy, after a good preamble, into 4 (“four”) parts: (i) “Please” rules; (ii) “Don’t” rules; (iii) “Always Appreciate” rules; and (iv) “Affirmations and Signatures”. These categories need not appear in the order given, and they may be mixed and matched.
What these rules might cover?
“Please” Rules.
Depending upon the mix of internal (intranets) and external (news and articles commentary) social media considered, the employer should remind employees to be respectful and responsible in their online activities, to use disclaimers so as to prevent attribution to their employer of any personal comment or action when not specifically authorized, and to use good judgment and avoid underhanded actions. The employer should also ask employees to remember their day jobs and consider how their actions outside the workplace “may” impact upon any or all of them, their employer, their employer’s business and reputation, and their employer’s customers. Also, the employer might remind site users and employees to clearly identify their sources when possible and advisable, including with hyperlinks; as well as a reminder to comply with (and not use the social media platform in an effort to circumvent or violate), any legal compulsion under which they must act in a certain way, or any lawful document by which they are bound, such as any court order, consent order or settlement agreement, injunction, or restraining order
“Don’t” Rules.
These rules will revolve around actions beyond simple decorum, to include a host of specific prohibitions against online IP infringement, a bar on criminality and all forms of stalking, or sexual or other harassment or bullying, and a further prohibition on any breach through use of online interaction to breach applicable internal data retention policies, or protections for client confidentiality, privacy, and proprietary employer information. Advisories to avoid personal attacks and offensive language, as well as defamation, would also be in order. In the absence of a BYOD policy, the employer may also bar the use of work devices for personal reasons, including by barring access to certain sites or by implementing some monitoring regimes, with advance notice, of course. This group of rules will also limit or bar the installation of third-party programmes, software or utilities, without advance approval from designated employer personnel; impose restrictions or bars on anonymizing postings and other participation; and issue a blanket prohibition on circumventing any site or employer security protocols or programs.
“Always Appreciate” Rules.
These will include notifications of how online behavior is tracked and include a consent to monitoring by their use, as well as an explanation of the use of cookies – both standard and persistent, in accordance with applicable laws and regulations. Online community members and employees should also be reminded to always appreciate the permanency of their online activities and postings, and the interplay of different policies – such as anti-harassment and anti-sexual harassment, human rights, confidentiality, and applicable codes of conduct to include professional conduct through professional licensing bodies. This group of rules should also encourage recognizing the value of accuracy in commentary, the desirability of respecting alternate viewpoints in online dialogues, the advisability of not pretending to be an expert and inviting embarrassment when the true experts chime-in, and the benefits to peace of mind and avoiding open hostility in staying away from controversial topics. The employer will also draw attention to the complaints escalation policy and any alternate dispute resolution mechanisms that it prefers or mandates for members of its workforce, any or all of the online communities that it hosts, or both of these.
Affirmations, Disclaimers, and Signatures.
Here, the user or member of that social medium – whether or not an employee – should be invited as a condition of use and membership, to clearly acknowledge the fact that any user breaching the usage policy, applicable law, or company rules and regulations is sanctionable up to and including cessation of privileges and termination of employment as applicable; as well as a notification that the employer or forum host reserves the right to proceed against them in a suit at law or in equity to recover any or all of its costs incurred to defend itself in any legal or regulatory matter, or the proceeds of any settlement it paid and legal fees, or its reputation, actually or allegedly emanating from that user or member’s conduct. All users and members must also affirm that they are of a jurisdictional age to use the social medium in the first place, that they will maintain the confidentiality and control of their accounts and log-on credentials, and where appropriate, that they will not directly breach or permit the breach through third party use of their accounts or credentials, of specific laws of concern to that community. These may include: obscenity and pornography restrictions; child pornography as a separate and distinct carve-out; terrorist activity; hate crimes; and money-laundering. Also, in addition to the standard and weighty disclaimers of the site host and/or employer, and somewhere in the entire policy, the employer – if based in the United States or otherwise touched by United States’ law and the National Labor Relations Act (NLRA), should include a guarantee of protected “concerted activity”, such as employee rights to free discussion in social media of their terms and conditions of work, to organize or unionize and discuss such issues, and to bargain collectively through their own chosen representatives, all without fear or threat of termination or other punishment. Finally, somewhere in the policy, there should be discussion of what the employer or medium host would like to feel free to do with, to, or through user accounts in the case of a generally-defined or specifically-named (general always gives more leeway), emergency situation.
Summary.
Due to the wide use and ubiquity of social media and the “tri-screen convergence”[1] that it continues to foster, these rules must be carefully crafted to identify and address the specific audience for each rule or each subrule, whether: (i) employees using an employer-hosted or employer-sponsored site; (ii) employees on their own time or during work time, but using other sites; (iii) non-employees using the employer-hosted or employer-sponsored site. Of course, separate policies may be developed, e.g.: (a) Social Media Policy; (b) Code of Conduct & Confidentiality Policy; (c) Online Community Usage Policy, as appropriate, and intertwined with cross-referencing. A Data Retention Policy should also be disclosed, as it covers all users, along with a summary of the policy carve-outs or other procedures that might come into play when dealing with internal investigations, discipline and ongoing compliance monitoring, and requests for law enforcement assistance. A single and all-encompassing policy may also be used with separate sub-headings and carve-outs for these, where inapplicable to a specific audience as here identified. However, that is a matter of entity-specific choice, and diverse new offerings will challenge established thought leadership on the best or most appropriate way to devise and deliver “any” policy.[2]
In any case, social media policies should be comprehensive, but they need not be unduly convoluted. Once you have the basics, you can build on it and go as deep as you want to for each sub-element. Remember, it does not hurt to get advice from legal counsel as the field is fraught with traps, and many areas of law need to be considered and factored-in, to properly blend and balance-out the end-product.
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, eCommerce, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in New York, New Jersey, and Washington, D.C. Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] Individuals can now use one device to watch a movie (formerly and exclusively done in the theatre or on a television), get news updates (formerly done through the radio, television, or print media), and get in touch with friends and family or businesses and business associates (formerly done through a fixed line at home, in the office, or in a telephone booth). Now, the TV screen, the computer screen, and the laptop screen, can all be melded into a smartphone that is portable, always on (battery power and novel charging methods allowing), and can translate.
[2] Take for example, “Twitter Amplify”, which allows viewers to engage in the kind of “online” running commentary that would have driven fellow viewers to distraction if delivered verbally and over the dialogue in question as it happened. In addition, through Twitter’s media partnerships, brand advertisers can also reach out to twitter users who have shown interest in their offerings through tweeting, liking, following, viewing their ads, or otherwise. See e.g. Tanzina Vega. Twitter Lets Brands Reach Viewers of Their TV Ads. Posted on nytimes.com, May 23, 2013. Online: >http://www.nytimes.com/2013/05/24/business/media/twitter-lets-brands-find-viewers-of-their-tv-ads.html?partner=rss&emc=rss&_r=1&goback=.gde_66325_member_243714222&<
BYOD: Policy with Trust, or Ignore and Bust?!
May 21, 2013
Gone forever, are the days when businesses could afford to adopt a laissez-faire attitude and let employees set their own pace to adopt and deploy Commercial off the Shelf (COTS) technologies and tools without solid central oversight. In addition to anti-harassment, customer and vendor relations, travel and expense accounts, and as otherwise advisable for regulatory compliance, policies became necessary for computer hardware, then computer software, mobile phones, and social media usage. Now, a policy is also needed for the use of personal devices for business purposes – or Bring Your own Device (BYOD), where and when the employer so allows for same.
Whether a single policy will be written with separate and distinct sections for each of these sub-elements, or separate policies will be written for each one, is a matter of case-by-case decision for each employer. However, many elements will be common to more than one of these policies, and ignoring or avoiding a BYOD policy can lead to “quite” a bust.[1] The essence of a BYOD policy – to be implemented with employee buy-in, input, and trust, can have (depending on the size, scope of operations, and headcount of the employer) up to 11 (“eleven”) core elements that must be addressed. I will now introduce these below.
CORE ELEMENTS OF A BYOD POLICY:
- S-ystems and Products.
At the bare minimum, you must let all of your staff know which operating systems (Windows OS version(s), Mac OS, Linux kernel[2]), and which products (phones, tablets, laptops, desktops), will be supported as the designated personal work “device” under that BYOD policy. It should not be a free-for-all with an anything goes and everything must be supported mentality. That is a recipe for open revolt in the IT department due to the undue configuration and compatibility challenges that this would impose.
- P-rivacy.
This is tricky, but it must be addressed. To the extent that work information is accessible through the device or held on the device, then passwords must be shared with the employer. Any employee who has a problem with this should quietly back-out of the policy, or ensure that nothing “untoward” is found or left on the device; because that password access should include acceptance of random audits and monitoring to ensure: (i) security protocols are being followed; (ii) comingling of personal and business data is not the norm; and (iii) employees are not engaging in other activities, including illicit activities, that might subject the BYOD (work) device to legal impoundment, or the data thereon to compulsory disclosure.
- E-fficiency Enhancements.
Having likely configured the device to “play nice” with legacy systems and be interoperable across the employer’s IT space, there will be restrictions on what a device owner can and cannot load onto the device, post-configuration. The BYOD policy should specify whether individuals can download updates on their own (some notifications can be malicious), or use an enterprise update and install function with regular logins and daily backups and syncs to a hard site. This goes for both system upgrades as well as protective software (antivirus and antimalware). Another question the policy might address, after taking an initial inventory of all programs and utilities on the device, is which ones can stay and which ones must go, as well as whether or not any favourite games or other utilities – sometimes hurriedly made with inadvertent vulnerabilities, and often needing far too much in the nature of system access and Admin. controls to “function properly” – can be added.
- C-are and Custody.
It should be heavily-stressed, that once a device has been proposed and accepted for inclusion under the policy, then the “owner” of the device is beholden to the data owner (being the employer, in the case of business proprietary information), and to the data subject (including the client or customer in the case of Personally Identifiable Information/PII, and Personal Health Information/PHI and the like), for the care and custody of both the device, and all data that is on the device or accessible by means of the device. The device “must” remain in the “sole” care and custody of the employee, and can no longer be used by a child to play games during downtime on a long journey or as a reward for completing homework or household chores on time.
- I-nformation.
This section should remind employees that they will still need to adhere to any internal rules that required them to show a business need for any data before they could access it; as well as enforcing any Identity and Access Management (IAM) procedures, and continued segregation of duties for working data (create, access, update, store, share, send, shred); system data (upload, download, wipe); and logs (write, access, edit, collate, wipe). Tie-ins with other policies on information (confidentiality including passwords and proper screensaver and automatic sleep mode usage, social media usage, and regarding audits and internal investigations) can also be made here, or in other sections of the BYOD policy.
- A-ccountability.
Appropriate logs should be maintained of all data accessed through and residing on the device, at all relevant times. This will help track and assess the degree of loss, control the damage, tailor an appropriate response to the breach population, and otherwise comply with regulatory imperatives in the case of any data breach or corruption, or any device loss. Of course, the “only” copy should never be held on just one portable device without it also being backed-up in several secure physical locations.
- L-egal.
While the employer will certainly lay-out those things for which the employee will be responsible, in terms of policy violation, it should also take the opportunity to list those things for which it will neither accept nor assume responsibility. Whether or not ultimately successful should a claim or claims arise, these might include distracted driving or walking or flying or riding, repetitive stress syndrome, and unlawful or antisocial behaviour (bullying, cyberbullying, sexting, IP infringement, or online defamation).
Clear defense and indemnification provisions would not be out of order; along with: (i) some form of funding for the employer’s personal device use; (ii) stated and mutually understood to be consideration for accepting the policy as a binding agreement; and (iii) coupled with some employee contribution therefrom into a pool from which BYOD, privacy, and other advisable liability insurance coverages would be secured with the employer as beneficiary.
- I-mplementation.
Here, the employer would give additional rationales for the policy, its scope, its purpose, and its importance to the organization as a whole and its mission, in particular. Along with a preamble at the start of the policy, this section would be key to achieving buy-in at all levels, and for demonstrating the entity’s commitment at the highest levels, to ensuring that the policy was both welcome and workable. Any staggered implementation or other pertinent details on how the policy would be managed and modified from time to time or with changing laws – and with employee input, might also be disclosed. A few words on enforcement, and the reporting and investigation of suspected policy violations should also be included here.
- Z-one of Control.
This section would further delineate a “zone of control” (ZOC) within which the employer reserves a right to act with or without notice to employees, and that the employees accept that as a bargained-fact. This ZOC would include matters with regard to internal investigations (it is not always best to warn a target); for reasons of Law Enforcement & National Security (with or without stating specific provisions, but reminding all subscribers/adherents to a BYOD policy that laws of the employer’s originating jurisdiction – including export restrictions and generalized trade or directed sanctions – may also apply); and in the case of contingencies (for example, where employees in areas under actual, threatened, or suspected terror attack, or who’se devices show impending travel further afield than authorized, may find that sensitive data has been remotely wiped from those devices, or that they have been remotely locked, as a security precaution). Less draconian but still useful in ZOC, of course, are wide and public sms alerts.
10. E-ncyption.
Encryption has recently been touted as the be all and end all of security solutions with regard to data in static situ, in mobile situ, and in transit – whether by email or as accessible through some Cloud platform. While it is true that encryption has a part to play, what is the use of it when the device has a stored profile that contains one or several of the “current” encryption keys? In addition, some jurisdictions may offer safe harbors that limit or even avoid breach disclosures when the lost or stolen data is sufficiently encrypted or anonymized to make it indecipherable; and moving the protection closer to or onto the data itself, may also serve to limit the ability of an intruder that penetrates the outer layer(s) of enterprise protection, to retrieve and retreat with, anything useful from within the firewall or data stream. Some have called this a “Secure Breach” state.[3]
11. D-ecommissioning and Disposal.
Both disposal of the data, and the decommissioning or disposal of the device need to be better and closely managed. Deletion does not always remove every trace of the data. Indeed, sometimes it is very easy to recover in the right hands, and with the appropriate tools. There must be an accepted understanding that devices will not be traded-in for upgrades or environmental credits without first being run through a wringer (in-house or outsourced) to ensure that they are truly clean. As the BYOD phenomenon gains pace, stability, and defined structures, a burgeoning business in such “outsourced pre-cleans” will likely develop. The results of lax cleans prior to disposal range from the embarrassing,[4] to the quite disastrous.[5]
SUMMARY:
BYOD adds significantly more attack surface to an entity’s vulnerability matrix, and offers myriad additional attack vectors. The IT security space is constantly expanding ever further beyond the proverbial firewall, and evolving by running adaptation to meet multiple generations of threat at a time.
A BYOD policy that addresses and covers the above points in sufficient depth and detail can still be and remain relevant, and protect both the employer and the employer’s data while educating the workforce. But, this schema is by no means presented or intended as the last word, because change is a pure constant.
************************************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] See e.g. DoD IG Audit Report: DODIG-2013-060. Information Assurance, Security, and Privacy: Improvements Needed with Tracking and Configuring Army Commercial Mobile Devices. Published by United States Department of Defence, March 26, 2013, on dodig.mil. Online: >http://www.dodig.mil/pubs/report_summary.cfm?id=5082<; See also Ekundayo George. What about hospital BYOD? Published October 7, 2012, on ogalaws.wordpress.com. Online:>https://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/ <
[2] Open source elements and compilations should always be used with caution, as licensing protocols will differ.
[3] SafeNet. A New Security Reality: The Secure Breach. Published in 2013, on safenet-inc.com. Online: >http://www2.safenet-inc.com/securethebreach/downloads/secure_the_breach_manifesto.pdf<
[4] Shaun Waterman – The Washington Times. Selling state secrets to North Korea? Japan sold hi-tech ship without wiping data. Published April 29, 2013, on washingtontimes.com. Online: >http://www.washingtontimes.com/news/2013/apr/29/japans-coast-guard-sold-hi-tech-ship-north-koreans/<
[5] Amar Toor. NASA Accidentally Sells Off Computers With Sensitive Data. Published December 8, 2010 on switched.com. Online: >http://www.switched.com/2010/12/08/nasa-accidentally-sells-off-computers-with-sensitive-data/<
Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec.
May 16, 2013
The story recently broke of an employee (former employee) who had high-level system access as a “software programmer and system manager”. The allegation is that he retaliated after being passed-over for promotions, which led to his resignation in December, 2011; with a final day of work in January, 2012.[1] According to a Criminal Complaint in the incident as filed by the Federal Bureau of Investigation (FBI) in the District Court for the Eastern District of New York, the accused had worked there for several years, and was actually “one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business—including its production planning, purchasing, and inventory control—operated efficiently”,[2] showing just how much free system access he really had. The estimate puts a cost to the former employer of his alleged activities at some $90,000.00 in damages. Admittedly, it could have been significantly more than this. That number is not insignificant. However, we may or may not ever come to know whether it stopped there due to self-imposed limitation(s), or inability to do anything more destructive or wide-ranging due to security impediments.
On to the questions:
1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?
2. Is that the same if you have high IT turnover? Things can get pretty hectic in that case!
Bob[3] was an “ongoing insiders”. The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.
3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?
There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace. Events will doubtless continue to present teachable moments. I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis. However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little. I call this cubing the B.
The above-referenced and linked allegations remain allegations. All parties are innocent until proven guilty in a court of law.
**********************************************************
Author:
Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com
He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com
Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).
Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.
This article does not constitute legal advice or create any lawyer-client relationship.
[1] Mosi Secret. Ex-Worker Created Havoc With Hacking, U.S. Says. Published by The New York Times on nytimes.com, May 2, 2013. Online: >http://www.nytimes.com/2013/05/03/nyregion/ex-programmer-pleads-not-guilty-in-long-island-computer-hacking-case.html?_r=0&adxnnl=1&goback=.gde_1864210_member_238092418&adxnnlx=1367770722-HJ313lwkhryqnKSNK09oJA&pagewanted=print<
[2] Federal Bureau of Investigation (FBI). Press Release. Long Island Software Programmer Arrested for Hacking into Network of High-Voltage Power Manufacturer. Published by the FBI on fbi.gov, May 2, 2013. Online: >
[3] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013, on ogalaws.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<
Ogalaws 