The use of social media for business is often viewed as a double-edge sword. While social media can be powerful communication and marketing tools, using them also means opening the door on a number of security concerns, including the threat of data breaches. For many organizations, facing such risks is part of the cost of staying connected to customers and potential customers.
Data breaches are most often thought of in terms of cyber attacks from outside the organization. Yet the use (and misuse) of mobile data-bearing devices and social media by employees are major causes for concern. In fact, according to a survey conducted in March 2012 by the Ponemon Institute and Trend Micro, “The Human Factor in Data Protection”, only 8 percent of breaches are caused by external cyber-attacks: The top three causes of data breaches are the loss by employees of laptops or other mobile devices, third-party errors, and system glitches.
IT security departments often find they are dealing with two-way traffic when it comes to internal security. In some workplaces, employees bring their own smart phones, laptops and tablets to work. It’s also common for employees to use company-supplied computers and devices to access their personal social media accounts both inside and outside of work hours. Both situations put employers at increased risk of exposure to malware and cyber attacks.
Gone Phishin’ with Friends
While employees are often encouraged to support a company’s business efforts on social media, they are not always provided with training for security awareness. That is, very simply, a mistake. With just a few pieces of key information, a hacker can exert control over a social media user’s other online accounts and pose as trusted friend to gain access to other accounts as well as that person’s online circle of friends. One example is the exploitation of the “forgot password” feature available on many social networks. By retrieving publicly viewable information on a person’s profile, a hacker can often find the answers to pre-determined security questions, such as the name of a pet or the name of the high school from which someone graduated.
Once a hacker has access to a victim’s account, it’s possible to pose as a trusted friend to others in order to send out phishing messages with included malware or links to malware files. Because the recipient might be more likely to trust the word of an online “friend,” these files or links stand a higher chance of being opened or followed, at home or at work. It’s yet another example of why having a program to prevent data theft and being able to address potential data breaches is so important.
Change Is Good
Many employees use the same passwords at work as they do for their personal accounts. If an employee hasn’t taken steps to have created different passwords for different types of accounts, as soon as a hacker is able to access the password to a profile, chances are that he or she will also be able to find the password not only for the victim’s personal email accounts and bank accounts, but the login credentials used to access corporate accounts. Here, requiring employees to have different passwords or pass phrases is not only a “good idea”, it might be one of the few things that stand between them (and their organization) and a successful cyber attack.
Social Media Use Policy
Many organizations are realizing the need to have an acceptable use policy for social media, both on and off the clock, as a way of regulating the nature of the information that can be disseminated to the public by employees.
One heavy-handed approach is to implement a ban on all social media speech about the business. A more practical approach is to design a policy that limits the use of social media during work hours, spelling out what activities are restricted activities both on and off the clock. This might still involve bans on particular activities such as making false statements, disseminating proprietary information, and using profanity when mentioning the company, co-workers, and management. Employers should make it clear that employees must comply with the organizations’ existing policies–such as rules of conduct that may constitute sexual harassment, rules prohibiting disclosure of confidential or proprietary information, and company policies on the use of corporate logos and other branding devices–when using social media. That may include a reminder that the company’s systems are not to be used for any illegal activity, such as downloading or distributing pirated data or software.
Another possible provision is to include a reminder that if the employee mentions the company in social media message, he or she must also include a disclaimer stating that any opinions expressed are the employee’s own and not those of the company.
Because it hinges on responsible use by an organization’s people, the use of social media is perhaps one of the most complex issues in business communications and security today. Staying current with social media developments should be at the top of every IT security department’s priorities. In the next part of this series, we will look at social media and compliance issues.