Zaibatsu:
Thanks -- your observations, comments and suggestions are excellent. When I perform security reviews for financial institutions and other companies, I always take a long look at the client's website and the annual report that's available to the public. I'm looking at them as a crook would, in preparation for committing a crime -- I'm looking for anything that will allow me access to or influence with the client's:
- Employees and insiders;
- Customers, vendors or third-party service providers;
- Facilities that it owns, maintains, rents or controls;
- Assets, both tangible and intangible; and
- Records, both electronic and physical (paper).
Examples of information that may provide opportunities for compromise include:
- Is there anything on that website that would help me identify personnel (including board members) such as job titles, photos, telephone numbers or addresses?
- Are actual locations listed for Operations or Data Centers?
- Are photos of cash-handling facilities available?
- Do the names of third-party service providers appear, such as law firms, armored car or guard companies?
For emphasis, take any photo of one of your employees that's available to the public. Draw a big "bulls-eye" on that photo in bright, red ink. While kidnapping bank employees doesn't happen often, they do happen. Add to this issue the related crimes of stalking, sexual assault, child molestation and extortion -- and you may realize that controlling the publication of personal information should be an integral part of the institution's Security Program.