Most of us remember fondly the Winnie-the-Pooh stories by A.A. Milne from our childhood. One that is memorable for me is “Piglet Meets a Heffalump.” In that story, Winnie-the-Pooh and Piglet plot to catch the new animal they believe is living in the Hundred Acre Wood. They have named this animal the Heffalump. They set a trap for the Heffalump, but instead of catching it, Pooh instead becomes trapped in the hole he had dug to catch the Heffalump. To add insult to injury, Pooh gets his head stuck in a pot of honey that he had attended to attract the Heffalump to the trap.[1]
Now, you may be asking what this has to do with data privacy and security. One of the new trends in the data privacy and security field is the use of what is colloquially called “honey pots.” These are attractive bits of false data or decoy computer systems intended to entice individuals to looking at things they should not be looking at and enabling you to track those events. Should you use honey pots? Are there risks involved?
Before you set up a honeypot, you will want to have clear approval among the executive leadership of your organization, because there could be loud noises that result from someone unexpectedly getting stuck in one of these honeypots. This includes Information Technology and Human Resources, which may be required to take quick action if someone is caught. Legal counsel also should review the entire honeypot program — once you catch someone, you want to make sure the evidence will be sufficient to allow you to terminate his or her employment. You may also want to consider how you would use the information to make a referral to law enforcement. Even more importantly, you want to make sure that you are doing something that is legal, and you want to make sure your honey pot does not hurt someone unintentionally.
[1]Winnie-the-Pooh, A.A. Milne (1926)