As businesses move at a rapid pace to integrate social media as part of their overall corporate strategy to engage, build brand awareness and drive thought leadership, unfortunately, security has taken a back seat leaving businesses wide open to these Web 2.0 threats.
The use of Web 2.0 has opened new risk channels for the bad guys to exploit to take advantage of users' trust to further gain control of their passwords and infiltrate the "trusted" community. This has added a new element to disaster control for businesses. It is time for businesses to wake up and understand the security implications of their everyday use of social media in the workplace.
According to a new study by Sophos, more businesses are growing concerned over the use of social networks, starting with Facebook. This is nothing new, especially to those of us who work in the security industry. Managing social media for Lumension, I have found security has and continues to play an important role in our every business discipline, especially with the broad adoption of social networks in the workplace.
A few interesting stats on social media and security:
- According to the Sophos study, more than 72 percent of firms believe that employees' behavior on social networking sites could endanger their business' security.
- The risk has increased from 66 percent since April 2009.
- Further, according to eWeek, the number of businesses that were targets for spam, phishing and malware via social networking sites increased dramatically, with spam showing the sharpest rise from 33.4 percent in April to 57 percent in December.
- SC Magazine reports that during the past year, there has been a rise of 70.6 percent in social-networking spam and a 69.8 percent rise in malware being sent. Respondents pointed to Facebook as being the biggest security risk, followed by MySpace and Twitter.
Businesses need to not only think in terms of the brand equity they're building on the Web, but also of the risks this will pose to their precious data and proprietary systems. Businesses need to put security front and center in order to protect brand and customer confidence while learning to adopt the right controls, user education and policies.
5 Steps to help you navigate social networking without losing control:
1. Understand your user landscape - Run a social computing survey on how your users are currently using social media, types of social networks and frequency of use. This will give you great guidance on setting the framework for your strategy, education and social media policy.
2. Building the Terrain - Developing a social media strategy is crucial and needs to involve executive team and other key teams (including IT) to ensure that you're using social media as leverage technology versus a burden technology. Everything will fall apart if you don't have a firm guiding strategy that aligns with corporate objectives and is approved from the top. Strategy should include objectives, key channels of focus, level of engagement, ownership, monitoring, communication, policy and disaster plan.
3. Educate users - According to a Nucleus Research Report titled "Facebook: Measuring the Cost to Business of Social Networking," 75 percent of those interviewed have a Facebook account. Nearly 61 percent access Facebook during work hours; those who access Facebook at work do so for an average of 15 minutes daily, with the range as low as one minute and as high as 120 minutes. It's the dawn of a new era where mass collaboration is taking place and social computing in the workplace has become a reality. To that point, user education is key as businesses no longer have control unless you lock down application use for your users. By taking steps to learn and extend lessons on the latest security threats and exploitation history of these social networking sites, you can mitigate further harm to your users and company data and systems. Set up quarterly workshops on social media and security. Teach your employees industry best practices on how to use these tools while staying safe online.
4. Set controls and policy - While social media is about giving users the freedom to engage online, it's no longer about the users. The risk is too great for your brand reputation and customer confidence. According to Forbes, in the first half of 2009, more than half of all security vulnerabilities disclosed were related to Web applications. Today, social media doesn't reside solely in the hands of the social media strategist or the marketing team. We must learn to collaborate across IT teams and the entire organization to set the right controls and policies in place. The social media policy should include not only how to use social networks but the inherent risks involved in using them. Also, IT teams need to work with the social media person or group to provide guidance on what should be allowed and why. This information should be included in the social media policy.
5. Listen and monitor - While most of us know how to listen for and monitor our brand and conversations online, we have to extend this listening discipline to monitor what our employees are doing. Also, listen for ongoing exploits taking place in the social mediasphere and communicate frequently on the risks and mitigation steps for the users.
Other Resources:
Blog post originally posted on Lumension's Optimal Security Blog.
Nucleus Research Report: Facebook: Measuring the Cost to Business of Social Networking
The Optimal Security Blog: Sesame Street Simple Guide to Surviving Malicious Attacks on Facebook
The Optimal Security Blog: My Password is My Password
Forbes: Security Prescription for 2010
ITSMA: Have You Given Your Employees Permission to Use Social Media?