Limiting Information Exposure

Company website and marketing:

• Staff directory: Employee names, photos, roles, and contact details
• Technology mentions: Software and systems you use
• Office photos: Images showing equipment, layouts, and security measures
• Company structure: Organisational charts and reporting relationships
• Project details: Current clients and ongoing work

Social media and professional networks:

• LinkedIn profiles: Job roles, technologies used, and company connections
• Facebook business pages: Employee photos and company events
• Instagram posts: Office photos and behind-the-scenes content
• Twitter updates: Real-time business activities and opinions
• YouTube videos: Company presentations and training materials

Job postings and recruitment:

• Technical requirements: Specific software and systems you use
• Salary information: Budget ranges and compensation details
• Company culture: Work environment and team dynamics
• Growth plans: Future hiring and expansion intentions

Public records and databases:

• Business registrations: Company structure and ownership
• Domain registration: Contact details and technical information
• Industry publications: Awards, partnerships, and achievements
• Government databases: Licenses, permits, and regulatory information

Targeted phishing attacks:

What they do: Use employee names, roles, and relationships to create convincing fake emails

Example: "Hi Sarah, this is John from accounting. I need you to update our supplier payment details urgently..."

Why it works: The attacker knows real names and job functions from your website

Social engineering phone calls:

What they do: Reference specific business details to build trust during phone calls

Example: "I'm calling about the new customer management system you posted about on LinkedIn..."

Why it works: Specific details make the caller seem legitimate

System-specific attacks:

What they do: Target specific applications and systems they know you use

Example: Send fake security alerts for software mentioned in your job postings

Why it works: Attacks are tailored to your actual technology stack

Do your own reconnaissance:

1. Google your business: Search for your company name, domain, and key employees
2. Check social media: Review all your business social media accounts
3. Examine employee profiles: Look at staff LinkedIn and other professional profiles
4. Review job postings: Check current and historical job advertisements
5. Use archive sites: Check Wayback Machine for old versions of your website
6. Search images: Look for photos that might reveal sensitive information

Check domain information:

1. WHOIS lookup: See what registration details are publicly visible
2. DNS records: Check what technical information is exposed
3. SSL certificates: Look for additional domain names in certificates
4. Email security records: Check SPF, DKIM, and DMARC settings

Website and marketing materials:

1. Limit staff directory information: Remove or minimise employee contact details
2. Use general contact forms: Replace direct email addresses with web forms
3. Avoid technology specifics: Don't mention specific software or systems
4. Review photo content: Remove images showing computer screens or equipment
5. Generalize job titles: Use broad titles instead of specific technical roles
6. Limit organisational details: Don't publish detailed company structure

Social media management:

1. Review privacy settings: Limit who can see your business posts
2. Control photo sharing: Avoid posting office layouts or equipment
3. Train employees: Educate staff about safe social media practices
4. Monitor mentions: Set up alerts for when your business is mentioned
5. Control check-ins: Limit location sharing on social platforms

Job posting security:

1. Remove technology specifics: Use general terms instead of specific software names
2. Avoid internal details: Don't mention specific systems or processes
3. Limit salary information: Use broad ranges or "competitive salary"
4. Review regularly: Remove or update old job postings
5. Use recruitment agencies: Let them handle specific technical details

Domain and technical information:

1. Enable domain privacy: Hide registration details from WHOIS lookup
2. Use business addresses: Don't use home addresses for domain registration
3. Limit DNS information: Only expose necessary technical records
4. Review SSL certificates: Check for unwanted domain names in certificates
5. Monitor for leaks: Check for your information in data breaches

Social media guidelines:

• Personal account privacy: Review privacy settings and limit public information
• Work-related posts: Avoid sharing specific details about projects or technology
• Photo sharing: Don't post images of work screens or sensitive documents
• Location sharing: Limit check-ins at business locations
• Connection requests: Be cautious about accepting requests from unknown people

Professional networking:

• LinkedIn profiles: Use general descriptions instead of specific technology details
• Conference presentations: Avoid sharing sensitive business information
• Industry events: Be cautious about discussing internal systems
• Online forums: Don't use company information in technical discussions

What happened: A Canberra consulting firm received a targeted email that appeared to be from their main client, referencing a specific project mentioned in the CEO's recent LinkedIn post.

How information was used: Attackers found the project details on social media and employee information on the company website to craft a convincing phishing email.

The attack: The email asked the finance manager to update payment details for the "urgent project deadline" mentioned in the LinkedIn post.

What saved them: The finance manager followed company policy to verify payment changes through a separate phone call.

What they changed: Limited project details in social media posts and removed specific employee contact information from their website.

Source: ACSC Small Business Cyber Security Guide

Set up monitoring:

1. Google Alerts: Get notifications when your business is mentioned online
2. Social media monitoring: Track mentions across different platforms
3. Domain monitoring: Watch for new domains registered with your business name
4. Data breach monitoring: Check if your information appears in breaches
5. Regular searches: Manually search for your business monthly

Response procedures:

1. Request removal: Contact websites to remove sensitive information
2. Update privacy settings: Tighten controls on social media accounts
3. Issue corrections: Correct any inaccurate information that could mislead attackers
4. Document incidents: Keep records of information exposure incidents
5. Review policies: Update information sharing guidelines based on findings

Regular review actions:

• Google search your business name and key employees monthly
• Review all social media accounts for sensitive information
• Check job postings for technology specifics
• Verify domain privacy settings are enabled
• Train employees on information sharing best practices
• Monitor for new mentions of your business online
• Update information sharing policies annually