Social media is now as common as a cup of coffee. Millions of people each day visit Facebook or Twitter, or spend their time blogging or “wiki-ing” (if that’s really even a word!). If those people, however, are your employees, you have to take it seriously.
According to the Nielsen Company, business social networking is becoming one of the predominant ways that people interact and communicate with one another professionally. In February 2009, social networking sites eclipsed personal e-mail in global reach.
While social media can be a good communication tool, there are obvious concerns and risks for corporations whose employees use it. Siphoning precious bandwidth is one concern, which can happen when a large number of employees are sharing the latest YouTube video. However, there are higher risks to be concerned with, which include or could result in cyber security data breeches and costly downtime. Over 65% of these security concerns are associated with botnet and malware which are linked to Web 2.0 technologies. Social media sites use Web 2.0 technology to allow users to create live content.
All in all, social media requires that technology leaders understand the latest communication techniques, and take action. In order to protect a company and its employees, it’s essential to clearly recognize the risk and have a robust monitoring and remediation program in place. Based on our work with hundreds of organizations, there are four areas that CIOs can examine when thinking about the risks associated with how social media affects their company: eDiscovery, data protection, perimeter, and compliance.
eDiscovery refers to any process in which electronic data is sought, located, secured, and searched, with the intent of using it as evidence in a civil or criminal legal case. Social networking is creating new headaches from a corporate and legal view point for organizations already struggling to comply with current legal eDiscovery requests. The issue is this: social networking sites use various methods to gather disparate content to present a cohesive user view. Using downstream software to collect and determine user access or viewing of relevant content, however, is difficult. Business social networking might enhance employee productivity, but most companies are ill-prepared to deal with this when performing eDiscovery.
Social networking systems contain information that resides outside of a company’s fire wall. So during eDiscovery, you might end up subpoenaing a third party to obtain necessary information. Even then, there is no guarantee that you will obtain the necessary records. Few historical records are retained by social networking companies. To further complicate the issue, people communicate in interesting abbreviations and the sender assumes the follower understands the abbreviations in the context of the message they were sent.
Given these challenges, the best way to approach social media within an eDiscovery process is to take an inventory of what technologies are in use so you understand the data flows in and out of an organization. Within the comprehensive program policies, make it clear that if individuals do communicate using any of these different social networking outlets, they are speaking as individuals and not as employees. If employees are representing the company on an official Twitter site, for example, ensure that appropriate policies, acceptable-use, and audits apply.
While eDiscovery issues are still being sorted out, it’s not a bad idea to curtail employees’ use of social networking sites. If use continues, it’s obviously essential to use them in a fashion as defined by company policy.
In terms of data protection, there are two things to think about – the technical aspect and the human element. From a technical perspective, an enterprise data loss prevention and encryption strategy (DLP) is the most common and effective tool for monitoring, reviewing and protecting information and data that is traversing in and out of an organization. However, these tools do have limitations. While good at protecting data, they are not good at protecting against malicious vulnerabilities. DLP is often limited due to secure websites and the complex integration into the secure websites. Most companies today have not implemented the DLP integration with secure websites at the host base and network base. This leaves companies without the ability to identify or block secure web based social media sites.
When it comes to the human element – a company’s employees – the room for error can be great. For example, if employees are logging into Facebook and sharing messages with co-workers about a product launch or legal issues, the privacy settings might not be set correctly, allowing others to view sensitive material. It’s a fine line when an employee is on Facebook talking about his company: are they representing themselves or the company?
Corporate stakeholders should consider deploying a comprehensive policy for the company to ensure compliance. They also have to understand the risk, compliance and governance associated with it. Most important, the program should include three things. It must:
1. Be iterative, so that it is repeated, repeated and repeated to employees. 2. Educate users in a meaningful and absorbable manner (use live walk-through scenarios). 3. Hold employees accountable. What happens when the rules are broken?
The company perimeter, where information comes in and goes out, is facing increased cyber threats. Most businesses have outdated security perimeter infrastructures. These older systems have not been updated and can’t recognize Web 2.0 technology. Nor do they have the ability to identify and understand the traffic patterns of social networking.
To keep viruses and intruders out, many organizations have turned to Web application firewalls (WAFs), which are another layer of protection on top of a company’s current firewall infrastructure. Other technologies that are deployed to detect intruders are intrusion prevention systems (IPS) and intrusion detection systems (IDS), as well as data loss prevention (DLP). The perimeter is complex and needs many resources to protect it.
Some organizations are deploying other strategies to ensure that Web 2.0 won’t affect its infrastructures. Some are leveraging consolidated devices, or zoning or segmenting “critical areas” of a company’s network to mitigate exposure.
In terms of ensuring the protection of confidential information, most company technology teams choose to block access to social media sites via proxy servers. Management can set different levels of proxy access that will allow different employee populations access to different social media sites. For example, depending on the business, management might set-up a program that allows 20% of its employees access to social media, while 80% do not have access. Tiered levels of access is helpful, however, keep in mind that a comprehensive security awareness program that educates employees on what they can and cannot do, is still key.
Another essential part of protecting the perimeter is having controls in place to deal with an incident or event once it is detected. If an IPS tool discovers a breach, there must be a plan in place to handle the threat.
Finally, when you think about the perimeter, don’t just think about technology. There are also social and physical elements. For example, a clean desk policy and confidential waste program (shredding) will ensure that printed material is destroyed properly and unauthorized personnel cannot copy or take pictures of documents and post them on social media sites.
Compliance is set up within an organization to ensure that proper controls are in place to protect customer data and comply with regulatory requirements. It’s not an option – it’s about being held accountable for the safety and security of a company’s and its customers’ confidential information. If you’re a credit card issuer, you must be compliant with PCI regulations. If you’re a healthcare organization, you must be HIPPA compliant.
At a minimum, it’s important to be compliant within your industry. But due to social media, there are new challenges relative to security infrastructures and breeches, and new areas of concerns for compliance.
Social media is a vehicle that social engineers use to gain information on a company that otherwise would not be available. To protect a company, you have to go beyond just patch policy and management, and configuration management. It’s about ensuring that the security devices protecting your company are up to date. And while many Unix and Windows servers have robust patch and configuration management systems, many of the security controls are not up to date.
In the end, it’s important to implement controls, verify that they are working, and produce the evidence in a relative frequency. And be sure that you can quickly identify the breech or vulnerability and take swift action to mitigate the incident.
By looking at these four essential areas within a company and implementing a comprehensive security program that “makes it real” for employees, you’ll be protecting the company and its employees, and your risk factor will start to decrease. For now, treat social media with respect because it’s here to stay. Keep an open mind, address the issues at hand, and be thorough with a program that speaks clearly, fills the obvious gaps and outlines consequences.
Jeff Sizemore is director Product Management at Forsythe. Cisco, Symantec and EMC all recently named Forsythe Partner of the Year. For more information, please contact Jeff Sizemore at [email protected].