As I write this, the newspapers are full of the case of the Kent Police youth crime Tsar and her social media experiences and the recent Met police sackings. I’ve also seen two surveys in the past month that talked about the rise of security threats in this space.
The good, the bad and the ugly
Traditional security thinking was that social media was a part of the web where people would waste a large amount of time or divulge company secrets. Many firms blocked access to these sites (certainly the so-called non-business ones like Facebook).
However, we are seeing this stance become less common, less viable, less effective and actually quite damaging. Social media is now a part of corporate life and the lives of customers and employees. This brings both potential risks and potential rewards.
Security victories, as well as defeats
Where businesses are opening up the social media floodgates there are some real advantages to security teams from being part of a social media savvy organisation. It is worth leveraging the opportunities these advances bring.
It is easy to contrive a list of ways we can gain - we have the ability to better understand the external mood, we have a means to communicate quickly with updates, apologies, information in the event of a crisis, we may even get early warning of impending threats.
Businesses are also increasingly using social media in their own communications environment (there are several corporate social media collaboration platforms now available). Security managers can use these to promote a security consciousness through their user base in a much more effective way than they ever managed with security intranets, policy reminders and posters.
Our workforce can also be alert for issues, for unhappy customers, for the careless or untrue posts of others, for indiscretions and for stray information. In some jurisdictions (consult local employment laws) people’s social profiles may be useful to avoid hiring mistakes or to identify potential candidates.
Growing security risks
In the face of this inevitability, and even once we have found some positives; there are issues. There are also some necessary changes to the way monitoring controls work, and the way users behave. Many businesses have years of investment in email scanning and URL monitoring / filtering controls. An organisation that allows or encourages staff to use social media facilities, may find that these traditional controls are no longer enough.
There are several cases where individuals have posted updates, tweets, content or messages that have been libellous, sensitive, embarrassing or offensive - from either home or work systems.
There has been an increase in social media being used to deliver malicious content and malware that email filtering and URL controls used to defend us from.
We have seen social engineering via social media, drive-by-downloads and malicious content posted within user supplied information on otherwise trustworthy sites.
Businesses also need to think more about how employees interact with each other. How people behave professionally and socially can be different - social media policies may need to encompass both.
Productivity was often cited as the reason to tighten up web and social media access, but this view holds little water these days. If your business has a problem with productivity, social media might be a symptom, but it probably isn’t the cause.
Maximising opportunity, minimising risk
If we, as businesses and individuals, embrace social media, we can gain in both internal interaction and with external stakeholders and customers. Security teams can also get insights that can alert them to reputational threats, risks and data leakages.
However, there are things we should do to balance these advantages with a risk-managed approach to the downsides we outline above.
Have a clear policy. This may be hard to define; but if there are lines people must not cross you should establish them. For example: insulting customers, posting sensitive information or personal data, using abusive language, harming the reputation of the company etc.
Educate staff. People need guidance in prudent use of social media; and particularly where there could be ambiguity between what they post on their own behalf or as employees, or who they connect with.
Passwords are still important
Whether on internal corporate intranets and collaboration platforms or public social media sites; the threat of account compromise increases, as people stay logged in to several systems from several places at once. Keeping account details secure and protected is as important as ever.
Deal with technical threats. Drive-by downloads, Phishing etc. often exploit users but also their systems. Good patch and vulnerability management (especially at the desktop/browser) will help, but the nature of these attacks means they often get publicised quite quickly and change rapidly. Be ready to adapt controls or notify staff of new risks.
Think more deeply about security risks. Targeted attacks may sidestep traditional scanning or blocking so ensure you have a mechanism to monitor activity to detect anomalies in system or network operation or to monitor the information and files that are sent externally.
Ensure your monitoring solutions can apply some intelligence to user and system behaviour, your endpoint solutions can defend against drive-by type attacks and consider DLP solutions that will make network information flows and content more observable.
Factor social media feeds into threat intelligence. Make sure you have a view into the conversations the world is having. If someone threatens you, publishes information or makes adverse statements you should have some way to detect this and a means to respond appropriately.
Use social media for traditional staff awareness. Most businesses have intranets; social media collaboration platforms are becoming more and more common, make sure security awareness initiatives are early adopters of these, particularly if part of the current messaging is about safe use of social media generally.
Use external social networks. Communications with customers and stakeholders about security breaches or during a crisis are vital. For example, Twitter is a great way to update people on the status of a service outage.
Involve a younger audience. Find the youngest, most junior person in your IT security function. They probably know most about how this stuff works, so involve them in controlling it.
Social media is increasingly becoming the standard way people interact with each other. Blocking or constraining its use, or failing to properly and safely adopt it is only going to drive disengagement and apathy. Security managers need to be aware of this and make sure sufficient and effective safeguards are built in to systems, policies and processes to enable businesses and users to realise the benefits and to manage the risks.
Blocking social media: reasons not to try
- When it was just MySpace and Facebook it was possible to block it; now there are too many outlets
- Where do you draw the line between LinkedIn (work related) and Facebook (social)
- Marketing probably want to use social media to engage with customers
- Staff will have access from their phones; you can’t control their access on the network for productivity reasons anyway
- You’ll lose visibility of what people are saying about your brand, your ethics, your response to customer complaints, your products
- Most market / customer segments use social media - these are likely to be your customers