• Save
Social Media & Enterprise Security Whitepaper
Upcoming SlideShare
Loading in...5
×
 

Social Media & Enterprise Security Whitepaper

on

  • 1,160 views

 

Statistics

Views

Total Views
1,160
Views on SlideShare
1,160
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Social Media & Enterprise Security Whitepaper Social Media & Enterprise Security Whitepaper Document Transcript

  • Social Media and Enterprise Security Whitepaper Sarah N Schleigh 12/5/2011This paper is available for viewing at http://www.slideshare.net/SchleighSA broad look at the issue of IT security as it relates to social media. Many firms have set security on theback burner to prevent being left behind in today’s world which is driven by social media. Othercompanies have been reluctant to engage in social media due to security concerns. As a result thesefirms may lack specific policies for social media use. Firms across industries are exposing themselves tomore viruses and malware and some may have to deal with even bigger problems – security breaches –as a result of their social media usage. I will take a more focused look at how this issue impacts theinvestment management industry which deals with a large amount of confidential information but hasrecently dedicated a lot of resources to expanding their social media presence.
  • Executive Summary There is no denying that in recent years the popularity of social media has grownexponentially. Formerly, a tool strictly for socializing, social media is now being used bybusiness for a multitude of purposes. Some of these applications include researching potentialjob candidates, connecting with consumers and clients, market research, and networking. Withthese benefits come some threats, particularly in relation to enterprise data security andreputation. Social media sites are frequently used by malicious individuals to spread malwareand/or viruses. Hackers use them to try and gather personal information in order to guesspasswords. Employees can unintentionally disclose private information on social media sitescausing damage to the firm’s reputation and loss of clients. Employees want access to theirpersonal social networking accounts at work but want to keep these sites private from theiremployer. Firms find it very challenging to know what kind of information is floating aroundabout the company, or what kind of personal sites are misrepresenting the company, since theycannot monitor and control this activity like email. Many IT managers are concerned about how social media is impacting enterprise securitybut most companies do not even have a social media policy to provide employees guidelines onhow to use social media. Also, many companies allow company wide access to social mediameaning a decrease in productivity and more potential threats to the company in terms of dataleakage, malware/viruses, and reputation. Currently many larger companies who allow access tosocial media sites are trying to mitigate the threats by updating their antimalware and antivirussoftware daily and scanning the network for threats. Some companies also limit users ability todownload plug-ins or applications from social media sites and some provide training to theiremployees about the threats posed by social media sites and what they can do to avoid anincident. This whitepaper provides some background on how companies are handling social mediarelated security now and also provides some recommendations and steps for firms to follow ifthey are seeking to improve their policies in this area. Many companies today are guilty of doingone or two things to combat the security threats of social media but no more than that. In reality,there are several steps that can be taken to decrease (but not eliminate) the risks. One of therecommendations provided include the creation and maintenance of a Social Media Use Policy.This policy should be as specific and as detailed as possible to try to avoid grey areas for users.The policy should describe what is acceptable to post on social media sites and what is not.Confidential information should be clearly defined and employees should be instructed to protectconfidential information first and foremost. The policy should also be clear on the severity ofthe consequences should an employee violate the policy. Other steps include offering regulartraining, providing open communication channels for employees’ questions, having a dedicatedteam handle the corporate social media accounts, making improvements to general IT securitythrough proper password management, more complicated password requirements, securitytokens, using content filtering technology, and frequent updates of malware and virus detectionsoftware. Some additional recommendations are also provided. While this paper does not seekto advise firms to use or not use social media, it does provide some helpful steps for firms whowant to use social media but maintain enterprise security and a good corporate reputation. 2
  • IS Issue: Social Media and Enterprise SecurityIssue DefinitionIn recent years, social media sites such as Facebook, LinkedIn, Twitter, YouTube, etc. havebecome accepted and useful tools for businesses whereas in the past, these sites were primarilyused for personal and social purposes only. Since being adopted by a large percentage of theworld’s major enterprises, many applications for social media have been discovered. As manyjob seekers are now aware, their social media sites are frequently vetted by potential employers.Many human resource professionals believe that social media sites provide insight into acandidate’s character beyond what he or she may demonstrate in an interview. Firms can usesocial media sites to gather research on their customer base and determine what their customerswant. Marketing professionals make use of Twitter’s brief status updates to announce specialoffers, corporate accomplishments, and need-to-know information for customers. Salespersonnel use social media to network with existing and potential buyers. Other professionalsuse sites like LinkedIn to network with others in their field and stay on top of current issues thatare relevant to the performance of their duties. With all of these applications and more, socialmedia has become integrated into our professional lives, as well as our personal lives. Theproblem for businesses is that social media sites represent new and abundant security threats.Viruses and malware are commonly distributed through social media sites. Private orconfidential information could be inadvertently shared by an inexperienced or unknowingemployee. There is also the potential that an employee would knowingly and maliciously shareprivate information over social networking sites. Due to the fact that employees can set theirsocial media sites to private, IT security departments cannot actively monitor these sites forsecurity breaches.Despite the fact that social media is relatively new, the threats it poses are not. Informationsecurity professionals have long been at work to keep private information from getting out and tokeep networks virus free. Ten or so years ago, the biggest threat to this objective was email. Tothis day, email is still a threat with viruses and spyware commonly being spread through emailattachments. To mitigate this problem, most firms closely monitor employee email activity andencrypt all outgoing emails to prevent them from being intercepted. All employees use the sameemail server and software. The problem with social media versus email is that it is outside of theIT department’s control. Additionally, sites like Facebook offer applications for download andthese applications can be written by anyone and may contain viruses or spyware. Users may notrealize that what they are downloading could corrupt their computer and even spread to othercomputers on the same network. Quizzes that appear innocent to the average user may beattempts to gather personal information that can be used to access an individual’s personal orwork login information. For example, a quiz may ask something like “What is your favoritebook?” or “What city were you born in?”. These questions may seem harmless but they oftencoincide with security questions used to authenticate users in the event that a password needs tobe reset. Armed with a user’s personal information, hackers can potentially gain access to afirm’s private information. 3
  • The degree to which this poses a threat varies from organization to organization in closerelationship to how security-conscious the employees are, particularly in relation to IT. Smallcompanies in the IT industry though not immune typically have fewer security breaches relatedto social media sites because employees are more cognizant of the risks. A large softwaredevelopment company for example, despite being in the IT industry, may employ thousands ofindividuals from different backgrounds – marketing, accounting, administrative – and not all ofthese individuals may understand the risks inherent in mixing their personal and professionallives through social media. It is up to the firms to make sure employees understand these risksand act accordingly – though this is easier said than done.So the question is: should firms allow employees to access social media sites? If yes, what stepscan and should be taken to mitigate the risk of a security breach or virus infection? If no, howcan this be justified to upper management who views social media as a useful tool for a varietyof functions?ScopeFor the purposes of this whitepaper, I will be focusing specifically on employee use of socialmedia – both for personal and business related purposes and how enterprises can seek tominimize the security risks presented by this usage. Aside from the threat to enterprisecomputing assets (the network, PCs, laptops, mobile devices, etc.), an employee’s use of socialmedia at home can present almost all of the same challenges it presents at work. Addressing thatis both difficult and controversial as it can be seen as an infringement on employee privacy if it isnot handled in a sensitive manner. To give the issue some perspective, I will be focusing on thisissue within the investment management industry. I have chosen this industry due to my ownpersonal interest in it and due to the fact that it employs individuals of diverse knowledgebackgrounds – portfolio managers, IT professionals, accountants, administrative workers, eventplanners, etc. Also, the majority of firms in this industry allow at least some access to socialmedia and put social media to work for marketing, hiring, networking and sales applications. Arecent survey by Cerulli Associates found that nearly 70% of asset managers are using socialmedia tools today compared to only 31% a year ago.Why Enterprises Should be Concerned about Social Media SecurityFirms differ in their opinions about whether or not the benefits from social media outweigh therisk of a security breach and it shows based on percentage of firms who allow unlimited accessto social media. This percentage, according to a poll of network administrators, is 36%. Thesame poll stated that 48% said employees have limited access, with 16% of the respondentssaying employees had no access to social media.1 Another recent survey published by the lawfirm DLA Piper found that just one company in four has a dedicated social media policy togovern employees’ use of social media sites. This is despite the fact that 34% admit to being1 http://www.eweek.com/c/a/Security/Network-Breaches-Social-Media-Smartphones-Worry-Administrators-Survey-430279/ 4
  • worried about confidential information being posted online.2 A recent security surveycommissioned by Websense, Inc. questioned 1,000 IT managers and 1,000 non-IT employees inthe U.S., UK, Canada, and Australia and found that 34% said that confidential information hasbeen posted on social networking sites.3This is an area where most organizations are struggling to keep up. The relatively smallpercentage of firms who have dedicated social media policies is evidence that the desire to notget left in the dust with social media presence has taken precedence over whether or not thatsocial media presence is fully protected. While most experts agree that social media is here tostay, many offer up different suggestions for how corporations should approach the issue ofsocial media.This issue is of vital importance to IT managers, non-IT managers, clients, and executives ofinvestment management companies that use social media. A widely publicized breach can costfirms millions if not billions of dollars and at an investment firm, can trigger a huge number ofredemptions all at once. If an investment company is not prepared to handle a large number ofredemptions (due to liquidity reasons), the result can be a failure of the entire company. ITmanagers do not want to be held responsible for confidential information being posted on socialmedia sites. With the case of a smaller breach, this could still mean their jobs. On a largebreach, it is unlikely they will ever be hired to work in the field of IT security again. Aside fromwanting the company to succeed, executives also need to be concerned about IT security becausetheir own personal information is highly coveted by hackers and often the information that ismaliciously disclosed online by disgruntled employees. According to the Websense, Inc. surveyreferenced above, 24% of respondents said that the CEO’s or other executives’ confidential datahad been breached. This is not specific to the investment management industry but is asignificant figure. Executives in the investment management industry are a popular target,especially in recent years given Wall Street’s poor performance since the current recession beganin 2008.If companies fully understand the concerns of IT security as it relates to social media sites, theycan prevent disaster (i.e. security breaches, viruses and malware infection, etc.). They can alsoattempt to control their reputation in social media circles. By allowing all employees to usesocial media at work and encouraging them to use it in their professional lives, employers takeon the risk that comes with essentially letting all of your employees speak for the company ratherthan having one clear and deliberate presence. A firm cannot stop an individual from having aLinkedIn page but they can be very clear through a separate policy that individuals are not tomake statements on behalf of the company on their personal sites. Clearly spelling out whatemployees are, and are not, allowed to do on social media sites and making sure they arefrequently reminded is important. It can prevent incidents like the one that occurred in June of2 http://www.personneltoday.com/articles/2011/10/13/58033/employers-leaving-themselves-exposed-to-social-media-risks.html3 http://news.investors.com/Newsfeed/Article/137168292/201110200800/Websense-Security-Survey-IT-Stresses-as-Data-Breaches-Put-Jobs-on-the-Line.aspx 5
  • 2010 at a hospital in Oceanside, California. In this incident, hospital employees postedconfidential patient information on Facebook.4 This could just as easily happen in any industryif companies do not communicate that this kind of activity is unacceptable. The investmentmanagement industry has no shortage of confidential information. Client information includingaccount numbers, Social Security number in some cases, investment strategies and transactions,addresses, phone numbers, and banking information is held to the highest security. Companysecrets such as stock research, investment models, research into potential mergers or acquisitionsand more are also held to this high security.If firms do not fully understand this issue, or if they underestimate its importance, they will mostlikely come to regret it. If companies take this issue lightly and do not train their employees onsecurity risks and proper handling of confidential information, they risk their reputation and inextreme cases, they put the firm at risk of going under.Current Threats from Social Media Use in the Workplace and How They Are Being AddressedAs mentioned in the previous section, there are a variety of threats posed to enterprises fromemployee use of social media. This section will expand upon these threats and attempt toprovide some examples where history provides them on how these threats can come to fruition.Each kind of threat is explained in detail below accompanied by a brief summary of some thingsthat companies are doing to address these issues.Malware/VirusesUsers can download malicious software rather easily on websites like Facebook. A December2010 survey by security firm BitDefender found that 97% of respondents on Facebook andTwitter click on links without checking them for malware.5 Another recent survey (reported inOctober 2011) done at a global level by the Ponemon Institute indicates that more than 50percent of respondents report an increase in malware due to social media use.6 Some mitigationtechniques currently being used by enterprises to combat this risk include: 1. Ensuring that antivirus and antimalware controls are installed on all systems and updated daily 2. Use of content filtering technology to restrict or limit access to social media sites 3. Ensuring that controls are also installed on mobile devices like smartphones and tablets 4. Addressing the issue in corporate policies and procedures 5. Awareness training for employeesIT departments rely on the first method to ensure that systems are clean on a daily basis but thesedo not ensure that new worms, viruses, or spyware will not be downloaded and distributed across4 http://www.privacyrights.org/data-breach/new5 http://www.allfacebook.com/most-facebook-users-blindly-click-malware-links-2010-126 http://articles.timesofindia.indiatimes.com/2011-10-12/security/30270273_1_social-network-business-malware 6
  • the network. That is where employee awareness and policies and procedures come in. Whilethis is still a risk, many companies are already doing a lot to combat the threat. Where it is reallya danger is in smaller companies who may have an “IT guy” rather than an IT department. Asurvey by Panda Security (a provider of cloud internet protection) in July 2010, askedparticipants from small- to mid-sized businesses about their social media security. Of thosesurveyed, 33.3% reported experiencing a malware or virus infection as a result of their socialmedia use. Of those who reported infections, 35.5% reported financial losses as a result of theinfection. Of those who reported financial losses from infection, 31% reported losses in excessof $5,000 – some even reported losses in excess of $100,000.7 For a small business, these kindsof costs can be crippling.A recent white paper by M86 Security also suggests creating two separate networks – onepersonal and one work related. While this may seem like extra work for administrators, the endresult is a more secure business network which some companies may find worth the costs inoverhead. M86 also recommends reviewing privacy settings on social media sites and limitingthe installation of plug-ins for games or other social media applications.8Information Gathering by HackersHackers, or any computer savvy individual with malicious intentions, can skim social mediaprofiles to gather information on passwords or security questions. Computer users commonlycome up with weak passwords so they can remember them. Some examples are the name oftheir dog (“Marmaduke”), their child or children (“Jason” or “JasonEmma”), their wife(“Sabrina”), their favorite musician (“ChuckBerry”) or the destination of a recent vacation(“Reykjavik”). For the average person, all of this information is easily obtained from their socialmedia profiles. Now suppose a hacker was able to trick a Facebook user into clicking a link for a“funny video” and by clicking this link the user unknowingly downloads a virus. Say this virusallows the hacker to access the user’s work computer. The hacker may then be able to access theenterprise’s network, applications, and confidential information by using information gatheredon the user’s Facebook page to guess their passwords. Users are frequently guilty of recyclingthe same password to use on other systems so they have less to remember and in this case, ahacker could potentially access a great deal of confidential information or intellectual property.A recent white paper by Enterprise Networking Planet, an information site for networkadministrators, stressed the importance of password management from an admin and user side.Users need to be taught to create complex passwords.9Companies are addressing this issue by requiring stronger passwords – containing bothalphanumeric characters and special characters for example. Another recent innovation is theidea of a security token. These little pieces of plastic (usually made to go on a key chain) are7 http://press.pandasecurity.com/usa/wp-content/uploads/2010/09/1st-Annual-Social-Media-Risk-Index.pdf8 http://www.m86security.com/documents/pdfs/white_papers/business/ wp_is_your_aup_social_media_proof.pdf9 http://www.secnap.com/pdf/support/whitepapers/network-security-social-media.pdf 7
  • carried around by the user of an application and usually display a rotating numerical value(usually six to eight characters long) that changes at set intervals, for example every 30 seconds.In order to log in to an application or website, users must enter their passwords and the tokennumber for additional authentication. The idea is that while a hacker might be able to guess yourpassword, he or she will not be able to guess your password and your token/pin number. Despitethis high level of security, breaches are still possible. A Wall Street Journal article from June2011, reported that token supplier RSA Security’s confidential customer information had beenbreached allowing hackers unauthorized access to security systems at Lockheed Martin Corp., adefense contractor. Certainly companies are better off with these security tokens than withoutbut unfortunately, many companies still do not use them and even some companies who do onlyuse them on their most sensitive systems.Data LeakageOccasionally, well-meaning employees (or even malicious ones) can post seemingly harmlessinformation on their social media sites and it can pose a threat to an enterprise. Sometimes it isjust some simple fact that is leaked, other times it can be thousands of records of confidentialcustomer information. The following example is taken from a recent article on Inc.com and hasbeen paraphrased for brevity:10 Excited executives at a manufacturing company on the verge of a major expansion postedabout it on social networking sites. On the first day of the big move, men showed up wearing theuniforms of a well-known logistics company and loaded more than $1 million in equipment intotheir truck and drove away without being noticed. These men were thieves who had piecedtogether a plan based on information obtained from social media sites.In the example above the perpetrators were caught but the company was unable to recover theirequipment.Other examples could be an employee’s profile on a professional site like LinkedIn where theydetail a project they worked on at work that they think builds their professional profile. Theymay not realize it but some of the information they post could be meaningful to competitors,scammers, or even the company they work for. Revealing how vulnerable a company wasbefore a project was completed is not in the company’s best interest and they may take issue withcertain posts of this nature.Of all the social media related security problems this can be one of the hardest to prevent. Whilecompanies can create social media use policies and provide training to their employees on whatis and is not acceptable to post online, there is no guarantee that an employee will understand therisk in what they are doing on Facebook or Twitter. If a company provides annual review ortraining on this topic, a new employee may not be aware for several months. That is why manycompanies go over a corporate internet and social media use policy with new employees evenbefore setting them up at their new workstation. A recent white paper by the ISACA10 http://technology.inc.com/2011/01/11/unintended-consequences-how-to-keep-social-media-from-becoming-a-security-risk/ 8
  • organization suggests that a well-documented strategy (and associated policies and procedures)be developed and that all relevant stakeholders (management, risk management professionals,human resources professionals, and legal) should be involved in drafting that strategy. ISACAalso recommends being clear on exactly what is acceptable and what is not so that employees donot face any “grey areas”. Regular training and constant communication on these topics alsohelp to ensure employee compliance with (and understanding of) social media use policies.11These steps alone do not eliminate the risk of data leakage and they certainly do nothing toprevent a malicious or disgruntled employee from posting confidential data online. Where manymanagers struggle with this concern is that you are essentially relying on all of your employeesto exercise good judgment when a slip up could mean serious reputational damages to thecompany. This can be an even more stressful leap of faith to take when dealing with a largenumber of employees.Threats to ReputationAnother significant threat to a company from social media is the impact to their reputation. Asevidenced by the following statistic taken from a Symantec.cloud white paper, corporatereputation is often an afterthought for many employees using social media: “Fifty-three percent of employees thought that their social networking pages were noneof their employers’ business.”12These individuals most likely wonder “why does my company care who my friends are, or whatI did last weekend?”. What they do not realize is that companies are much more interested inwhat (if anything) their employees post in relation to the company. Something as seeminglysignificant to an employee as a picture with friends drinking at a bar could be negative to thecompany’s reputation if that employee is wearing a polo shirt with the company logo on it forexample. Employees must remember that anytime they post something about their employer ontheir social media site, like it or not, they are representing the company.In addition to employee’s personal pages affecting a company’s reputation, any news of asecurity breach in the press will be very damaging as well. In the investment managementindustry, clients are very conscientious of their personal information. A recent Fiserv whitepaper highlighting the benefits of connecting to clients with social media states that 45% ofunconnected (in reference to social media and financial institutions) consumers cited theirpersonal information’s privacy as the reason they had not connected.13 While consumers areslowly coming around, a significant breach in the financial company’s security through socialmedia will damage their reputation and send consumers running in the other direction. In a11 http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf?id=c0177e6a-fc5c-4eb7-872d-82f5c536f4ff12 Symantec.cloud. “Social networking, security and your business: a guide for IT managers”.February 2011.13 http://www.fiserv.com/WP_financial-institutions-social-media-white-paper_nov2010.pdf 9
  • recent study done in Europe, approximately 50% of 186 executives surveyed indicated concernthat their reputation would be damaged through social media.14A white paper from Sophos, a security vendor, offered some advice on how employees can avoiddamaging their company’s reputation on social media:15 Familiarize yourself with your organization’s social media policy so you don’t inadvertently break the rules Do not post images, pictures, or information that might embarrass you, your company, or your customers Avoid treating social networking sites as personal diaries. Assume that everyone, including your boss, is reading what you post.Overall there are a lot of good ideas out there for how companies can mitigate the risks of socialmedia, but in practice, the applications of these ideas are very scattered and far from standard.Many of the solutions require trusting all of the company’s employees to make good judgmentdecisions that could affect the whole company – regardless of their position. Given the increasein popularity of social media, there has also been an increase in innovation of malware designand distribution and no matter how prepared they are, companies open themselves up to morerisk by using social media. So what should companies do? Ban everyone from social media?Allow limited access? Or just continue to allow everyone access and hope for the best? Whatsteps should they take to make sure if they allow everyone access that they are not sitting idly bywith their fingers crossed? Can companies guarantee IT security even when letting employeesuse social media? These questions will be addressed, and recommendations will be proposed, inthe concluding section of this paper below.RecommendationsCompanies concerned about the impact social media has on their IT security may find thefollowing section, and the guidelines provided within, helpful when determining how toapproach this issue and where to start. It has been divided into multiple sections for clarity.Limited vs. Unlimited Social Media AccessThe first question a company should ask is: “Who within the firm needs access to socialmedia?”. Depending on the industry and culture at the firm, the answers could vary from“everyone” to “no one”. These extreme answers make network administrators’ lives easier sincethey can simply block the site or allow everyone access. More commonly, a firm may have ashort list of individuals responsible for maintaining the firm’s social media site, a handful ofsales representatives who may need access, or a subgroup of the marketing department whoneeds access. In these cases, firms should compile a list of authorized social media users whichshould be periodically reviewed and approved by management. The activity of a small group of14 http://www.marketerpulse.com/2011/10/27/ corporate-reputation-threat-posed-by-social-media-platforms-study/15 http://www.sophos.com/medialibrary/Gated%20Assets/ white%20papers/sophossocialmediawpna.pdf 10
  • users can be more easily monitored than the activity of 10,000 employees. Additionally, regulartraining on social media dos and don’ts can be provided to a smaller group of individuals muchmore readily than the entire company. While every company is different, there are manynegative consequences of allowing all employees to have access to social media and therefore, itis recommended that firms limit access to their employees to those with a specific business needrequiring social media use. Firms in favor of unlimited access should carefully consider whetheror not the benefits of allowing unlimited use outweigh the security, productivity, and reputationalconcerns that come along with it.Steps to Mitigate Social Media-Related RisksIf a firm decides to allow any, or all, of its employees to access social media sites it is imperativethat they take some steps to make sure that employees know what they should and should not doon personal, professional and corporate social media accounts. Here are some specific steps thatall firms should undertake before allowing access to social media websites:Create a Social Media Use Policy. This is of utmost importance. If employees are not asked toreview written policies explaining the dos and don’ts of social media, then managers cannotreasonably expect that they should have known better if and when a negative incident occurs.Social Media Use policies can be incorporated in existing Internet Use policies or Code ofConduct policies but if companies want to stress the importance of the Social Media Use policy(and they should) it should be a stand-alone policy that employees have to review both whenthey start with the firm and at least annually after that. Like other policies, a firm can requestthat employees review it and sign it to signify that they understand the policy and will not violateit. This policy must include specific guidelines to follow. Here are some examples: What is and is not acceptable to post. No confidential information should be posted on social media sites. Firms should be clear on their definition of confidential information. This usually covers customer information; personal information such as addresses, phone numbers, social security numbers, etc.; undisclosed company information such as potential mergers or acquisitions; passwords, building access codes, corporate secrets, and so on. Also firms should caution employees on making negative statements about the company, or making statements on behalf of the company without authorization, on social media sites. Reminders of the company’s core values. If a company is well known for their professionalism, it can be damaging for an employee to have an unprofessional profile with profanity, inappropriate pictures, and to have that profile associated with the company. Firms should remind employees that they represent the company and should use good judgment when using social media. Warnings to use caution when downloading applications and/or clicking on unknown links to third-party sites. Malware can find its way onto a network PC through these kinds of actions and it is important that employees know that. If network administrators decide not to block users’ ability to download applications from social media sites, then employees must use caution and good judgment when on these sites. If a link appears suspicious or if an application is not widely used, it might contain malware. If employees 11
  • are unsure if their actions will put the network at risk, they should refrain from taking those actions. Productivity must not be compromised. It is important that firms stress that they still expect the same level of productivity and that social media use must not take precedence over core duties. Consequences for violation of the Social Media Use Policy. Firms must be specific and clear about potential consequences of inappropriate social media use. Intentional or malicious violations should result in termination and accidental violations should be handled on a case by case basis. Firms should emphasize that termination is still a possible consequence of accidental violation and stress again that if an employee is uncertain about whether or not something is acceptable, they should either ask a manager or corporate governance employee or refrain from doing whatever they are considering altogether.These are just some of the recommendations for what should be included in a social mediapolicy. Firms may also want to stress that posting something on the internet is permanent andwarn employees about the potential downfalls of blurring the lines between their personal andprofessional lives. Firms should seek input for this policy from several departments includingIT, Human Resources, Legal, Corporate Governance, Sales & Marketing, Public Relations, andother top managers. A wide selection of social media policies for existing organizations areavailable for viewing online following a search of “Social Media Policy”. One site in particularthat includes many examples is http://socialmediagovernance.com/policies.php for furtherresearch and detail.Offer Training Regularly. A Social Media Use Policy is a good start but firms should also besure to offer training sessions on social media. The majority of training should be targetedtowards employees with social media access at work but training should also be provided toemployees who go home and use social media in the evening – or from their mobile devicesduring the day. In addition to showing users specific dos and don’ts, trainers can also fieldquestions from users who may have run into a grey area not fully addressed by the Social MediaUse Policy. In addition to teaching employees about security issues related to social media,trainers can help users develop more professional profiles and provide an objective viewpoint onthe impression an employee’s social media profile makes to an outsider.Establish Appropriate Communication Channels. In between an annual review of the SocialMedia Use Policy and periodic training, employees are bound to have questions about what theyshould and shouldn’t do on their social media sites. It is important that employees know wherethey can direct questions in the interim periods. An email group comprised of individualsresponsible for creating and updating the Social Media Policy could be created to handle thesequestions. The policy itself along with corporate intranet pages or regular emails can remindemployees that their questions are welcome and that no question is too insignificant to ask. It isimportant that employees feel comfortable asking their questions or else they may make a baddecision. 12
  • Have a Dedicated Team Handle the Corporate Social Media Accounts. Of all the social mediaaccounts associated with a company, by far the most important one(s) is the firm’s social mediapage (Facebook, Twitter account, etc.). A slip-up on this account will be noticed far morequickly and have more impact on the company’s reputation than incidents relating to employeesocial media accounts. With that said, it is important that companies select qualified individualswho have demonstrated good judgment and communication skills to maintain the company’ssocial media sites. All requests for content to be published should then run through this groupfirst who will determine if the disclosure will have a positive or negative impact on the firm as awhole. Many companies, even large ones, currently do not have a dedicated social media team.It is something they may want to consider since firms are constantly growing their social mediapresence and more and more consumers and investors are looking to corporate social media sitesthan ever before. In small organizations where it may not be feasible to have two or moreindividuals solely devoted to social media, it is still preferable to have the more than one personresponsible for the content so that there is more than one person determining if content isacceptable to publish. In small organizations, there may be a few individuals responsible for thesocial media site as time allows.Randomly Monitor Social Media Sites of Employees with Access. If access to social media sitesis limited, firms can monitor users’ activity to ensure that it is consistent with the image andvalues of the firm. This can become tricky with employees’ personal accounts which they maywant to remain private. If that is the case, employers must prohibit employees from using theirpersonal accounts while at work and instruct them only to access professional and businessrelated social media accounts. In this situation, the firm has to rely on the employee’scompliance with this rule since allowing access to any Facebook account would allow themaccess to their personal one as well. In these situations, companies may wish to adviseemployees of potential consequences of unauthorized access to their personal social mediaaccounts. The choice to allow employees to use their personal accounts at work, and/or tomonitor their personal accounts, is something that companies must decide on their own and workout with their employees.Improve General IT Security to Help Combat the Effects of Social Media Use. There are anumber of things an IT security group can do to make their network safer in general. Things likestricter password requirements (alphanumeric/special character), security tokens, the use ofcontent filtering technology, and daily updates of antivirus/antimalware software are a fewexamples. All of these techniques are common practice at many companies already and arestrongly recommended. Employees should receive some training on password management tolearn not to recycle passwords, save their list of passwords in electronic files (especiallyunprotected electronic files), or the all too common post-it note password list “discretely” placedunder the keyboard or mouse pad.Don’t Forget About Mobile Devices! Detailed discussion of this topic would require anotherwhitepaper but it is important to remember that mobile devices such as smartphones and tabletsthat are connected to a company’s network can also present security problems. These devices 13
  • most likely contain confidential information, emails, files, and other communications. A breachon one of these devices can be just as damaging as a breach to a desktop PC, and they can beeasier to accomplish. Firms should be diligent in their management of mobile devices. Ifpossible, firms should stick to one kind of smartphone and one kind of tablet rather than lettingemployees use their personal devices. While providing a cell phone or tablet to an individualwho already has one may seem like unnecessary expense, it could prevent a costly data breachdown the road.Multiple Networks. As previously mentioned, one strategy for preventing negativeconsequences of personal use of social media at work would be to have two separate networks –one for personal use and one for business use. This is more costly to implement and maintainbut provides a very important benefit of keeping the malware and viruses that could potentiallybe downloaded from social media sites away from the important business network. This is fairlyuncommon in practice as many firms believe their diligent updates of antivirus and antimalwaresoftware will take care of any problems that arise. As history has shown us however, there areoccasionally new threats that emerge that this software is not equipped to handle. Separatenetworks provide an added layer of security that is worth consideration.ConclusionThe decision to use social media in spite of its threats is a choice that must be made by each andevery company, holding their objectives and values in mind. Some companies cannot realizemany benefits by using social media and so the decision to block social media is not as difficult.But many companies are finding ways to use social media to their advantage now, especiallygiven the exponential increase in popularity of these sites in recent years. This whitepaper doesnot seek to advise firms on whether or not to use social media, only on what firms shouldconsider before making the decision and what steps they can take to mitigate the risks. Socialmedia is not as easy to control and monitor as email, but with a specific plan in place andexcellent communication and training in place for employees, management can becomecomfortable with social media. Above all, firms must be diligent, and constantly remindemployees of the social media use policy and trainings available because history has shown usthat firms can become overly lax and comfortable with their security as time goes by andbreaches do not occur. New employees especially are a risk and should be trained on the dangersof social media use immediately upon being hired. By all accounts, social media is going to bearound for a long time to come. If firms hope for a likewise lengthy existence, they must decidenow to take social media opportunities and threats seriously…or be left in the dust. 14
  • Annotated BibliographyBoudreaux, Chris. “Social Media Governance: Empowerment with Accountability”. November 2011. URL <http://socialmediagovernance.com/policies.php> Resource Type: Other – Social Media Policy Database This source was used to direct access to examples of social media policies, as supplemental materials to interested readers.Cohen, Jackie. “Most Facebook Users Blindly Click Malware Links”. All Facebook. 9 December 2010. URL <http://www.allfacebook.com/most-facebook-users-blindly- click-malware-links-2010-12> Resource Type: Trade Press Article This source was used to show that most Facebook users click on malware links without first scanning for threats to security.Fiserv. “Financial Institutions and Social Media”. November 2010. URL <http://www.fiserv.com/WP_financial-institutions-social-media-white- paper_nov2010.pdf> Resource Type: Vendor White Paper This source was used to emphasize how reluctant customers are to trust social networking to not distribute their personal information.Investors.com. “Websense Security Survey: IT Stresses as Data Breaches Put Jobs on the Line”. Investor’s Business Daily. 20 October 2011. URL <http://news.investors. com/Newsfeed /Article/137168292/201110200800/Websense-Security-Survey-IT- Stresses-as-Data-Breaches-Put-Jobs-on-the-Line.aspx> Resource Type: Trade Press Article This source was used to report results of a survey providing evidence that a large percentage of organizations have experienced breaches of confidential information as a result of social networking.“Is Your Acceptable Use Policy Social Media-proof?”. M86 Security. 23 August 2011. URL <http://www.m86security.com/documents/pdfs/white_papers/business/ wp_is_your_aup_social_media_ proof.pdf> Resource Type: Vendor White Paper This source was used to demonstrate some professional recommendations on how to protect a network against malware. 15
  • ISACA. “Social Media: Business Benefits and Security, Governance and Assurance Perspectives”. May 2010. URL <http://www.isaca.org/Knowledge- Center/Research/Documents/Social-Media-Wh-Paper-26-May10- Research.pdf?id=c0177e6a-fc5c-4eb7-872d-82f5c536f4ff> Resource Type: Professional Organization White Paper This source was used to provide guidance on how social media policies should be enacted in order to ensure employees are aware of the dangers of posting confidential or sensitive information online.“Managing Social Media for Network Security”. Enterprise Networking Planet. 14 November 2011. URL <http://www.secnap.com/pdf/support/whitepapers/network- security-social-media.pdf> Resource Type: Consulting White Paper This source was used to provide an example of how experts stress strong passwords and better password management.Marketer Pulse. “Corporate Reputation Threat Posed by Social Media Platforms (Study)”. 27 October 2011. URL <http://www.marketerpulse.com/2011/10/27/ corporate-reputation-threat-posed-by-social-media-platforms-study/> Resource Type: Trade Press Article This source was used to support the growing concern over reputation damage from social media.Martindale, Nick. “Employers leaving themselves exposed to social media risks”. Personnel Today. 13 October 2011. URL <http://www.personneltoday.com/ articles/2011/10/13/ 58033/employers-leaving-themselves-exposed-to-social-media- risks.html> Resource Type: Trade Press Article This source was used to provide support that companies are still catching up in terms of their IT security when it comes to social media. A greater percentage of survey participants were concerned about breaches of confidential information through social media (34%) than had social media use policies in place (25%). 16
  • Panda Security. 1st Annual Social Media Risk Index for Small to Medium Sized Businesses. September 2010. URL <http://press.pandasecurity.com/usa/wp- content/uploads/2010/09/1st-Annual-Social-Media-Risk-Index.pdf>. Resource Type: Vendor Research This source was used to demonstrate the adverse financial effects created when organizations fall victim to social media related malware.Privacy Rights Clearinghouse. Chronology of Data Breaches. 13 November 2011. URL <http://www.privacyrights.org/data-breach/new> Resource Type: Other – Historical Breach Tracking Site This source was used to provide an example of a breach of confidential information on Facebook.Rashid, Fahmida Y. “Network Breaches, Social Media, Smartphones Worry Administrators: Survey”. eWeek. 4 May 2011. URL <http://www.eweek.com/ c/a/Security/Network-Breaches-Social-Media-Smartphones-Worry-Administrators- Survey-430279/> Resource Type: Trade Press Article This source was used to report results of a survey providing evidence that social media security is a significant problem and concern for organizations.Sophos. “Social media in the enterprise: Great opportunities, great security risks”. June 2010. URL <http://www.sophos.com/medialibrary/Gated%20Assets/ white%20papers/ sophossocialmediawpna.pdf> Resource Type: Vendor White Paper This source was used to offer some ideas on how employees can avoid damaging their company’s reputation through their use of social media. 17
  • Symantec.cloud. “Social networking, security and your business: a guide for IT managers”. February 2011. URL <http://www.google.com/url?sa=t&rct=j&q= white%20paper%20social%20networking%2C%20security%20and%20your%20b usiness&source=web&cd=2&sqi=2&ved=0CFoQFjAB&url=https%3A%2F%2Fsu bscriber.emedia.co.uk%2F(S(gjnf4r55virqri34sm4kv045))%2FFM%2FGetFile.aspx %3Fid%3D91678.1.1769979.SCMHWNOK&ei=p5DBToSmJqLx0gG9hcH6BA&us g=AFQjCNEV-s3G6McCvQEgQ0rlcm1pG5MsKA> Resource Type: Vendor White Paper This source was used to demonstrate that corporate reputation is often an afterthought for employees.The Times of India. “Social Media Increases Malware Attacks: Survey”. 12 October 2011. URL <http://articles.timesofindia.indiatimes.com/2011-10-12/security/ 30270273_1_social-network-business-malware> Resource Type: Trade Press Article This source was used to report results of a survey providing evidence that social media security is a significant problem and concern for organizations.Zetlin, Minda. “Unintended Consequences: How to Keep Social Media from Becoming a Security Risk”. Inc.com. 11 January 2011. URL <http://technology.inc.com/2011/ 01/11/unintended-consequences-how-to-keep-social-media-from-becoming-a-security-risk/> Resource Type: Trade Press Article This source was used to provide an example on data leakages can happen when unsuspecting employees post seemingly innocent information on their social media sites. 18