April 29, 2011
Social Media Risks: 4 Areas You Must Examine at Your Company
Acording to Nielsen, social networking is becoming one of the predominant ways that people interact and communicate with one another, both privately and professionally. In 2009, social networking sites eclipsed personal email in terms of global reach.
While social media can be a great communication tool, there are concerns for organizations that use social media. To recognize the risks of social media, you should have a robust monitoring and remediation program in place.
Siphoning precious bandwidth is one concern, which can happen when a large number of employees are sharing the latest YouTube video, for example. However, there are even higher risks such as cyber security data breaches and costly downtime. The two most common threats originate from Web 2.0 technologies: botnet and malware. These threats are known to cause costly outages and data breaches.
Technology leaders should understand the latest communication techniques and take appropriate action.
There are four main areas that chief information officers (CIOs) should examine when managing the risks associated with social media: eDiscovery, data protection, perimeter and compliance.
eDiscovery refers to any process in which electronic data is sought, located, secured, and searched, with the intent of using the information as evidence in a civil or criminal legal case. Social networking is creating new headaches from a corporate and legal point of view for organizations, who are oftentimes already struggling to comply with current legal eDiscovery requests. Social media may enhance employee productivity but most companies are not prepared to deal with eDiscovery.
Social networking systems contain information that resides outside of a company’s firewall. During eDiscovery, organizations may end up subpoenaing a third party to obtain necessary information. Even then, there is no guarantee that a company will obtain the necessary records. To further complicate the issue of using social media, people communicate in abbreviations, and the sender assumes the receiver understands them in the context of the message.
Given these challenges, the best way to approach social media within an eDiscovery process is to take an inventory of what technologies are in use. Also, make sure that if individuals do communicate using any of these different social networking outlets, they follow appropriate policies.
When organizational data is the asset that needs protecting, there are two key components to the effort: technical controls and human factors. Technical controls can mitigate many of the intentional or unintentional data losses attributed to social media risks.
Enterprise-wide encryption is expanding all the time. Encryption is a great tool for protecting access to data by the wrong user. Data loss prevention (DLP) suites are also very capable tools for monitoring policies and protecting data. DLP used on endpoint systems can prevent attachment of various file types and content. It can even prevent an instant message containing sensitive keywords from being sent. DLP will also integrate closely with standard perimeter technologies like email security and web proxies. Other endpoint security software can mitigate rogue applications and malicious software to improve on the shortcomings of antiquated antivirus software.
Controlling for human factors with social media is a far more complex task than implementing encryption or application whitelisting. There is no amount of technology that can be thrown at the problem to provide a comprehensive fix. Oftentimes the quickest and least expensive way to decrease exposures of various data is through an effective security awareness program. This approach to risk mitigation is rarely, if ever, fully explored.
One of the biggest areas of improvement in social media-related data protection is in effective security awareness. Success comes from alignment of both technology and people to security policies.
An effective security awareness and training program has three main attributes.
1. Educates users in a meaningful and absorbable way.
Try live demonstrations or relating scenarios to actions and results that could happen in their home computing environment.
2. Is iterative.
Education doesn’t happen in the three seconds it takes to sign the acceptable use policy on the first day of employment. Repetition is important; consider testing employees over time.
3. Creates accountability.
Make sure users know they are being monitored. Let them know exactly what the consequences are of inappropriate actions, and deal with infractions accordingly.
A company’s perimeter is facing increased cyber threats. It is the front door to an organization’s network—where information comes in and out—and a gateway to customer information. Most organizations have outdated security infrastructures that have not been updated to protect against next-generation threats.
To help mitigate risk, many organizations have turned to web application firewalls (WAFs). These application-specific firewalls provide an additional layer of protection to a company’s current perimeter infrastructure. Other technologies that are commonly deployed to protect corporate assets are network access control (NAC), intrusion detection and prevention systems (IDPS), and secure remote access.
To ensure the protection of confidential information, many organizations block access to social media sites via proxy servers. Management can set different levels of proxy access allowing specific employee populations access to different social media sites. For example, management may allow 20 percent of its employees the ability to access social media, while 80 percent do not have access.
Organizations need to start developing compliance and risk policies regarding social media now, even if there’s not a current business need. The language of these policies needs to focus on how to mitigate the risks and compliance issues introduced by these technologies, more than how to restrict them.
Companies with mature compliance and risk programs should be able to securely integrate new technologies that enhance business capabilities and opportunities, as long as the business is willing to accept or mitigate the risks involved. It is important to perform a realistic assessment of your risks and security frameworks by auditing and validating your program’s effectiveness.
Start by reviewing how social media can impact the organization’s compliance posture, as well as researching all the regulations that the business might fall under. Financial institutions that are required to keep records of any communications or commercial messages regarding loans, lending and deposits (regulation B, regulation DD and regulation Z) will need to either restrict such communications or modify business processes and technologies in order to accommodate them while remaining compliant. Trading firms will need to address insider trading exposures, while healthcare industries are already struggling with privacy issues in the media.
All industries will need to evaluate the legal and brand exposures that social media introduces. For instance, what happens if the organization’s intellectual property gets posted? What about customers data? Most industries will need to modify their enterprise logging strategy to include these new forms of communication and should look into using a brand protection firm to look for misuse that occurs outside of the workplace.
Once the decision is made to make social media part of the business strategy, make sure to develop a strategy that involves all of the enterprise’s risk and compliance stakeholders—business units, legal, human resources, IT, change management, audit, risk, security, and executive steering committees. The strategy will need to address technology, process and people. Out of these three, the strategies around handling people will be the most sensitive. Create strategies that are fair, consistent and accommodate any appropriate exceptions.
Since it is difficult to control behavior outside of the workplace, designing awareness programs that create personal interest for employees is important. Programs should help employees understand their own risk when using social media, in addition to addressing business concerns. Also, remember that using social media responsibly requires a cultural shift, and upper management will need to lead by example. Their actions should set the standard, and reflect the behavior they expect to see in their employees, especially when it comes to keeping one’s professional and social presences separate.
Social media is here to stay
Social media is not a fad. It is forever changing the way we communicate with others. As we become more familiar with social media, we will be able to better manage it. By examining these four essential areas, implementing a comprehensive security program and clearly communicating a company’s internal social media policy, the risk factors will start to decrease.