Mitigation, not Prohibition, is Best Response to Social Media’s Security Risks
October 26, 2010
No Comments
Although an all-out prohibition might seem to be the simplest way to deal with the security risks of social media, it is not necessarily the wisest approach.
The technology does introduce numerous risks, including the possibility that an employee might speak on an agency’s behalf without approval or even post sensitive or classified information inappropriately. Also, ill-intentioned actors might pose as social network friends to obtain such information – what’s known as social engineering. And as many people have learned, social networks can be a source of malicious code.
The technology does introduce numerous risks, including the possibility that an employee might speak on an agency’s behalf without approval or even post sensitive or classified information inappropriately. Also, ill-intentioned actors might pose as social network friends to obtain such information – what’s known as social engineering. And as many people have learned, social networks can be a source of malicious code.
However, the benefits of the technology are becoming more apparent every day. Private and public organizations are finding that social networks facilitate both personal networking and massive customer and citizen outreach. They provide good venues for getting feedback from customers and constituents (via Facebook and Ning, for example), locating subject-matter experts (via LinkedIn and others), and for communicating with communities large and small (e.g., Twitter and wikis).
Given that value, organizations should not resort to blocking all access to social networking or only allowing access by a small number of public relations and marketing experts. The good news is that it is possible to mitigate the risks through a combination of policy, training and technology.
Here are four steps to consider:
1) Ensure existing employee codes-of-conduct policies cover social networking. A good start is to update your organization’s computer-use policy to indicate whether it is acceptable to use social networking only for work or for work and personal activities. However, organizations also need a broader policy covering what activities an employee (or contractor) can do on behalf of the company or agency. If existing policies are updated to include scenarios related to social networking, the organization must get the word out and incorporate the new policies into its employee training.
2) Train end-users on the benefits, risks, policies and goals for social networking. It is important to communicate to employees and contractors the organization’s goals for social media – and what their role will be. Much as you would work with an executive to prepare for a press briefing or analyst call, you should explain the goals of social networking, who has the authority to speak on the organization’s behalf, what actions and activities are appropriate, and whom to contact with questions and issues.
3) Create official profiles for the organization, subsidiaries and key executives on the major social networking sites. This should be done even if those profiles will not be used, and they can be marked as such. This will help head off the creation of fake accounts used for impersonation.
4) Implement technical controls that address how social networking can be used and what content can be posted. Policies must be enforced, and appropriate technology is one important way to achieve that. To be effective, any technology must understand the context of data as well as its content.
Social networking is here to stay. All organizations, public and private, can and should find ways to maximize its utility. A sound security policy is central to that effort.
Here are four steps to consider:
1) Ensure existing employee codes-of-conduct policies cover social networking. A good start is to update your organization’s computer-use policy to indicate whether it is acceptable to use social networking only for work or for work and personal activities. However, organizations also need a broader policy covering what activities an employee (or contractor) can do on behalf of the company or agency. If existing policies are updated to include scenarios related to social networking, the organization must get the word out and incorporate the new policies into its employee training.
2) Train end-users on the benefits, risks, policies and goals for social networking. It is important to communicate to employees and contractors the organization’s goals for social media – and what their role will be. Much as you would work with an executive to prepare for a press briefing or analyst call, you should explain the goals of social networking, who has the authority to speak on the organization’s behalf, what actions and activities are appropriate, and whom to contact with questions and issues.
3) Create official profiles for the organization, subsidiaries and key executives on the major social networking sites. This should be done even if those profiles will not be used, and they can be marked as such. This will help head off the creation of fake accounts used for impersonation.
4) Implement technical controls that address how social networking can be used and what content can be posted. Policies must be enforced, and appropriate technology is one important way to achieve that. To be effective, any technology must understand the context of data as well as its content.
Social networking is here to stay. All organizations, public and private, can and should find ways to maximize its utility. A sound security policy is central to that effort.
