Social media: the security threats and how to tackle them.By Christopher Jenkins, Security Director, Dimension Data UK; pictured.
Social media is forcing businesses to change their behaviour. With the lines between work and home life steadily blurring, employees are demanding that the tools they enjoy in their personal life also be made available at work. This is why social media is fast becoming a key challenge for not only security and IT, but also HR and management teams. This article will look in particular at how a corporate policy, defined by HR and the IT team, is as crucial as security technology in managing social media security threats.
What are the security risks?
The threats generated by social media usage at work, or on devices used for work, are often not ‘new’ as such, but are old risks in a new form. They include (source: Gartner January 2010):
Malware infection of desktops and sharing of malware via social media
Use of mash-ups of applications in social media means data can become untraceable
Public application interfaces may not be sufficiently secured, so users are exposed to cross-site scripting, for instance
IP and other trade secrets, or private, sensitive data, may be made public, resulting in reputation damage, loss of customers, and even loss of revenue
Posted content or online conversations may breach regulations as they are not recorded or archived appropriately
Users are exposed to phishing attacks and can fall victim to ID fraud.
Nevertheless, new or old, these threats are real and require a slightly different approach, which needs to involve multiple areas of a business.
How far can IT protect from social media threats?
Security technology, such as data leakage prevention, firewalls, data encryption and anti-malware software, can only do so much. Without question, as well as being the greatest asset, people are an organisation’s greatest threat. We’ve all seen examples in the media of employees losing unencrypted laptops or USBs sticks and the potential damage they can cause. Social media has only served to exacerbate the human data related risk with the frequency and speed of communication involved in its use. When it comes to managing the risk, employers need to be practical about what will and will not work. It is for this reason that a corporate policy on social media, defined by HR and IT, is fundamental in ensuring its acceptable use. The business as a whole is therefore challenged with defining acceptable use and implementing a corporate policy aligned with the existing ‘personality’ of the organisation. The policy will also need to consider the business’s appetite for risk. Through this evaluation the HR department can define the official level of presence or absence of social media and its acceptable use. Some businesses may take a lock down approach whilst others acknowledge the requirement to allow web 2.0 tools in some form. Regardless of which approach an organisation adopts, social media exists and demand for it is only growing. If employees want access to social media, the chances are they will find a way around technologies which prohibit their use. An employee may bring in their own 3G USB modem and connect directly to the corporate network and bypass security systems, or if working from home they may simply turn off their VPN. Employees will find a way to access social media, so it is vital that businesses do not ignore the issue. A complementary common ground between technology and company policy needs to be implemented to ensure all bases are covered.
Defining business culture: essential to sound social media security
How can an organisation work out this complementary balance? Key to understanding this is assessing your business’s culture and appetite for risk. This is unique to each business and will define your organisation’s individual approach. While some organisations simply aren’t able to take advantage of social media in any form because the risk far outweighs the benefits, others can afford to take more of a risk with some social media tools as for them the benefits outweigh the risk. For example, Dimension Data realises the productivity that can be gained from Instant Messaging (IM) and as such we have implemented our own corporate IM network which sits inside our perimeter security. This compromise allows our employees to utilise social media tools without compromising our security levels.
Case Study
Challenge: Following employee demand and the increase in use of social media (despite its best efforts to prohibit this), a large multi-national bank realised that social media is here to stay and its employees would continue to demand its use. The bank came to Dimension Data for best-practice advice on how it could allow employees access to certain social media tools without compromising security.
Solution: After assessing the business culture, the bank was able to determine its social media-related risks and implement the technology designed to manage the specific risks. This included Instant Messaging (IM) and web content-aware controls to allow certain social media applications but block the release / leakage of sensitive data.
Result: Employees were able to realise the personal and productivity benefits of using social media in such a way that the bank’s risks were managed to an acceptable level.
Conclusion
As with any new technology or trend, social media, its management in the workplace and finding the right technology or policy for the threat has been driven by trial and error. With the wave of security threats stemming from social media will come a change in the approach businesses take to mitigate these threats. Technology and policy will continue to be driven by the demand for access and use of social media by employees. Think back ten years, when no business had an acceptable usage policy for online activity – now this is standard. Just as businesses had to address network perimeter security to protect themselves from viruses, social media is forcing organisation to define their business culture and create a social media security strategy.
