Social networks: An information security game changer
The Internet has revolutionized business and significantly cut costs in nearly every sector. An in-person bank transaction that costs the enterprise US $15 is only pennies when done online. Be it online ordering, passwords resets and much more, the cost reductions are amazing. Businesses large and small are finding that social networks are a great way to interact with customers and create additional revenue. The down side is that social networks can be used to turn those potential profits into real losses.
Take the Wikileaks incident – just 10 years ago, imagine what would be needed to make copies of the more than 250,000 cables. After that, a truck would be needed to transport the reams of documentation; and that is just the start. Today, all it takes to undermine an organization is a DSL connection and an inexpensive USB drive.
Social networks – you can’t just block them anymore
To date, many companies have simply used the strategy of blocking access to all social networks, but this is becoming a losing battle. With the evolution of smart phones and the knowledge of users, simply blocking social media sites at your border is no longer effective. Natalie Petouhoff, formerly of Forrester, notes that such a strategy is no longer feasible given that “social media isn’t a choice anymore – it’s a business transformation tool.”  That changes the dynamic from blocking to forcing companies to find a way to safely enable the use of social media.
But with that enablement comes some security and privacy issues that every company must address. Some of these include malware, brand reputational damage, breach of confidential data, identity fraud and social engineering.
Social networks – a security game changer
In 2011, organizations are struggling to understand and deal with the security risks of social networks.  Traditional information security was based on firewalls and access control, which protected the perimeter. But social networks open up that perimeter and require a focus shift from infrastructure protection to data protection. Users will share extraordinary amounts of highly confidential personal and business information and files, and provide help and support to people they perceive to be legitimate, especially when they think those people are colleagues. There are numerous security risks with allowing uncontrolled access to social networking sites, butut these risks can be mitigated via a comprehensive security strategy that includes social media.
Secure use of social media
As a start, the secure use of social media in a corporate setting can be facilitated via the following:
Be proactive. Get in front of the social network wave. Have a dedicated security team to identify and deal with all issues around social networks. Start routinely checking that the people claiming to work for the company really do work for the company.
Risk assessments should be done for each social network community on which your users will have a presence. Know the specific vulnerabilities associated with each site and identify which users pose the greatest risk. The output will be used to create the social media policy and strategy, which must be customized to your specific risk matrix. For example, when you perform a LinkedIn analysis, you will see that your users may be revealing thetechnologies you are using, the corporate direction, vendors and products used, internal e-mail addresses and address formats, and more.
Creating a corporate social networking policy is an absolute must. Even if your policy prohibits everything, you still need a policy stating that.
Security awareness has always been important, but never more so than in the era of social networks. Social media is driven by social interactions, and the most significant risks are tied to the behavior of staff when they are using social software. Don’t shun social media for fear of bad end-user behavior; rather, anticipate it and formulate a multilevel approach to policies for effective governance.
A good awareness program ensures that staff know about and are compliant with social media guidelines. As part of this, let employees know that not everyone they encounter within the social media sphere will be genuine and they can lose their job regarding policy violations. Educate managers and executives that they have a special responsibility when blogging by virtue of their position. And everyone needs to know that too much time on social network sites is a bad move.
Guidelines and regulations are key. Without guidelines around security and social networks, breaches will be inevitable. Two examples of well-thought-out guidelines are the Intel Social Media Guidelines and IBM Social Computing Guidelines. For your guidelines, ensure that you have directives for every area around social media — from blogs, wikis and social networks, to virtual worlds and more.
For those in the EU, take note of the Directive on Data Protection 95/46/EC. As the EU takes personal privacy very seriously, the tagging of images with personal data without the consent of the subject of the image violates the user’s right to informational self-determination. This is a large part of social networks and must be dealt with.
Note that the previous items are just a core set and not a definitive list of all the security and privacy items that need to be addressed.
Conclusions
While social networks do introduce significant security risks, if policies are designed appropriately, social networks and information security can be compatible—and can add real value. This requires effort, staff and an official plan of action. Putting in place controls around social media is all well and good, but will you test them and use the results to better your security? Ultimately, companies must recognize these risks and take a formal approach to deal with them.
