by Thom Hiatt
(No, this is not another article about telling your kids not to chat online with strangers. It’s about you, the adults. And what YOU are putting online.)
We manage dozens of web sites. The level of responsibilities varies, and in many cases it’s simply a matter of updating information on the site.
Yesterday a client wrote to us requesting to add a simple button / link that would go from one page on her web site to an external resource. The external resource is a “volunteer scheduler” of sorts and allows people to sign up and fill various roles needed to execute an event. In her case, it is a weekly event.
So we installed the button as requested, and then tested to make sure everything worked properly. During our test, we quickly realized that the external scheduling system was displaying volunteers’ first and last names, and a log-in was not necessary. I immediately contacted the client and suggested she use an alternative, more secure method to assist volunteer sign ups. I wrote:
Stacy, The button has been installed, however, we might want to do things differently. I can see that Joelle Marlenti is volunteering on October 8th at 9 a.m. Because of her role, and because this is a family event, I assume she is a minor and that her family will take her to the event, and stay with her while there. I assume her whole house will be empty at that time. She has a unique last name, and I know her approximate location because of the location of your organization. After looking around online for only three minutes, I see that her parents are Tim and Sue. They live at 1967 Caminito Benne. Their home phone is (555) 436-3255. Tim works at the Springfield News, and Sue works at the Natural Selection Cafe. I can see their house on Google Maps, and I can see on Zillow that an identical house is for sale across the street. The house for sale has photos throughout the house, which means I can assume the overall floorplan of the Marlenti’s home. I know where the master bedroom is, the entertainment center, the home office, etc. Easy in, easy grab, easy out.
Needless to say, she responded quickly and we removed the button. She is currently looking into other options that are more secure. Granted, if the volunteers used only first names, nick names, etc, the situation would be a lot better, but not perfect.
I am writing and sharing this article for your benefit. First, you should take note of what you and your kids are putting online. Second, you should keep an eye out for what others are putting online. And third, if you run an organization, you should be sensitive to what information you are distributing.
What you are putting online:
Don’t write on your facebook page, “My wife and I are going to the movies tonight! Can’t wait! So excited.” Instead, wait a few days and write, “We saw Raiders Return last week and really enjoyed it. Highly recommended!”
What others are putting online:
Be aware of how your company or organization lists you in staff directories, etc. Also, make sure that your event and meeting notes are not publicly accessible. Even a PDF file is searchable and often contains detailed information about who you are, and where you will be, at what time. If these docs must be online, be sure they are in a password protected area. PDFs should be locked with their own passwords as well, etc. Change the web site passwords once a month or quarterly.
This situation is particularly common with Churches, Schools, and Non-Profit Organizations. Not only do they conduct numerous events with lots of volunteers, but they also live life with a certain innocense. “We’re good people. We are surrounded by good people. We do good work for the community. Nobody would harm us.” Sure, I am painting with a broad brush, but believe me, this is truly what I see most of the time.
Simple Steps for Safety
- Google yourself. You’ve heard it before, but you should do it, and do it often. If you go by Mike, also look at Michael. To make more specific searches, wrap phrases with quotes. To search for Mike Smith in a PDF, google: Mike Smith filetype:PDF.
- Take a moment and sign up for a Google Alert. It’s free. You simply tell Google, “Whenever you find ABC anywhere online, send an email to me at this email address.” Of course, once you’ve been alerted, it’s sort of too late. However, at the very least, you can contact the source and request the information be changed or removed. If they comply, it should be just a matter of weeks before it’s mostly gone.
- Where information must be online, try to make sure it’s minimal. If there’s only one Mike on the Committee, then no need to use his last name.
- Try not to publicize your upcoming / current schedule on facebook and other social media. Instead, use social media to reflect on past events.
Stay safe out there, and thanks for reading. Let us know your thoughts, and other suggestions.