Social Networking Security

By John Wagley

01 April 2012

Print Issue: April 2012

INCREASINGLY, employees expect to remain connected to social networking sites while at work. But these sites represent a growing threat in terms of malware, for instance.

It can be challenging to measure the exact threats posed by the variety of networking sites in this regard, says Larry Ponemon, president of the Ponemon Institute. That said, there does appear to be a significant association between a company granting permission to allow social networking sites and the organization’s level of malware.

Networking sites also represent a risk in the area of social engineering. Hackers can use the sites to glean information about employees to carry out targeted email, or phishing, attacks, for example.

Another significant risk is that an employee could post or inadvertently reveal sensitive information. For example, someone could say that he or she “can’t attend a party because they have to work on xyz deal,” says Chip Tsantes, a principal in the financial services office of Ernst & Young. That might have just revealed the existence of a deal or a meeting not meant to be disclosed.

Despite the risks, companies can’t just say no to social networking. That’s not practical in today’s environment, note experts. For one thing, employees are going to participate in these sites on their own time at home in any case, creating some of the exposures regardless.

Another factor is that some workers, the younger ones in particular, may avoid working for organizations that are overly strict on using social networking on the company’s network, says Per Thorseim, a security consultant at EDB ErgoGroup, a Norway-based IT services firm. In some cases, “if employers say ‘we want you here but there’s no access to social networking sites,’ there’s almost no way they’ll want to work there no matter what kind of pay you give them.”

In some cases, employees can access sites through Internet proxy Web sites. It can also be hard for organizations to block sites once they’ve already been allowed for business purposes, says Thorseim. And they are increasingly part of business marketing and communications efforts. For these and other reasons, “few companies have been getting more conservative on what they allow,” he says.

Given that reality, it’s important for entities to draw up strong acceptable-use policies or to reevaluate existing ones.

One element of a strong policy, particularly for highly regulated organizations, is to include language forbidding employees, unless expressly authorized, from representing the company, as opposed to themselves, online, says Tsantes. Some policies also require that employees never mention their employing organization, or even anything about their work, unless that is part of their job.

In addition to being told about the specific provisions of the policy, employees must be made to understand why it is important to follow the protocols not only at work but when using social media in their personal lives, says Tsantes. “If you explain it in the context of protecting their family and friends and then apply the same principles at the company, I think it will create a greater attention to the problem and more awareness.”

Training can include sending information to employees via e-mail or an internal Web site. It can also be helpful to train an employee after a security incident, such as a malware infection.

Management should create a culture in which it’s considered acceptable for employees to report if they may have had a malware infection or other security incident related to networking and similar sites, he says. “You want to try to reward the behavior.”

But the company must also make sure that there are negative consequences for those who do not follow the policies. A policy that is not enforced will serve no purpose.

Apart from setting parameters on what should be said on social networking sites, the company may want to monitor such activity to assess riskiness to the extent that doing so is legal and pertains to the work-related concerns. Certain networking sites can present greater risks than others. Some entities may want to familiarize themselves with the types of security measures taken by certain sites. Some more popular sites are actually stronger in protecting users’ security and privacy. Facebook, for instance, is “one of the safer sites” in numerous respects, Tsantes says. If a site seems insecure, the company may want to deny access to it from the company network.

It can also be important to ensure that employees do not have administrative access to their work computers, says Tsantes. By denying such access, if employees happen to click on something that’s installing malware it “will prevent most but not all infections.”

Companies may also want to implement some of the newer security measures that can further reduce the exposure to social-networking-site risks. For example, there is technology that can grant access to Facebook and other sites but make the content “read only,” says Tom Clare, Websense’s senior director of product marketing.

Newer types of data loss prevention (DLP) solutions and technology can also be effective at preventing certain kinds of sensitive information from leaving a company’s network. DLP technology tends to be most effective when it is guarding against the loss of specific sensitive information, such as credit or debit card numbers, says Thorseim. Many DLP solutions can be expensive, however, and many of the newer technologies are largely untested.