Everyone knows the biggest thing on the Internet these days is social networking. Businesses and individuals use Twitter, Facebook, MySpace, Digg and Delicious-just to name a few-to build and maintain relationships. The question is, with whom? Friends, colleagues and customers? Or criminals?
At the core of the issue are two factors: user identity and user-contributed content. Did you know that Jessica Biel is everyone’s friend on Facebook? Or at least someone claiming to be Jessica Biel is-she’s the most counterfeited celebrity on the Web. How many of your users would be ecstatic to become Biel’s friend, only to find out the links on her page lead to malware sites pushing drive-by downloads?
For some strange reason, users seem to think they’re completely safe online. How many times have you heard someone say, “It must be true. I read it on the Internet”? Let’s face it, there’s a sucker born every minute. Three hundred and fifty million of them use Facebook. Social networks provide a plethora of information as well as a rich environment for attackers. It is all too easy to write a Facebook application that pushes malware onto a user’s computer, and I get direct messages from malware bots on Twitter on a daily basis.
There are also legal risks as well as threats to company and employee reputation. It’s very easy to be frustrated at work and hop on Twitter to complain. An excited salesperson has a good meeting with a prospect and tweets about it, and the competition reads the tweet and moves in to undersell. Or maybe an employee leaves a meeting with hot insider news and can’t wait to update his Facebook status with it. What do you do if an office argument goes public with employees railing against each other over Twitter? And how about when Joe in accounting Facebooks those photos of your CEO in a Speedo smoking pot, drinking beer and womanizing at the last corporate retreat?
This scares information managers to death. And with good reason. It was not very reassuring when Mark Zuckerberg, founder of Facebook, declared that “the age of privacy is over.” Does a better way of ensuring that companies ban Facebook even exist?
Given these threats, some IT departments have decided to block social networking sites completely. In my opinion, this is an immature knee-jerk response and the more appropriate choice is to train users on proper usage and then enforce those policies. Banning social networking tools is sort of like saying because Chris Henry of the Cincinnati Bengals died in a pick-up truck accident we should outlaw all pick-up trucks. Seems sort of silly, doesn’t it?
According to Forrester Research, business use of social media doubled from 11 to 22 percent between 2008 and 2009. There are many business benefits to using social networks. Davis Janowski of Investment News summed up how financial advisers are using social networks in an article April 26, 2009: “to attract clients, to develop relationship with [business partners] … and also to display their expertise.” Many companies are turning to Twitter to provide customer support. I even have a great story about Iams responding to my cat food concerns immediately via Twitter. Incidentally, I have an equally negative story about Travelocity’s half-hearted attempt at addressing my complaints about their excessive hold times.
And it’s not just the ability to interact via social networking sites. Perhaps the greater advantage to business is the ability to mine others’ interactions via social networking. What company doesn’t want to know how its brand is perceived?
However, in Forrester’s January 2010 report, “Twelve Recommendations for Your 2010 Information Security Strategy,” analyst Khalid Kark suggests that businesses “address risks associated with social media,” particularly “less control over corporate data.” One reason that IT departments are struggling to address the security risks presented by social networking is that there is no purely technical solution. This means that the traditional approach to security of throwing money at a bunch of point solutions isn’t going to work. A combination of technology and administrative controls is needed, as is the most dreaded of IT tasks: end-user education.
At the heart of IT departments’ concern is the fact that social networking can expose intellectual property, inside secrets and procedures to the public, and, worse, to competitors.
Three Ways to Keep Networks Secure
While an acceptable use policy is not a solution in and of itself, it is a necessary component of any Internet safety program. Draft a document that explains why employees must follow the policy, provides concrete examples of how to follow the policy and gives details regarding the penalty for not doing so. All employees, regardless of rank or job task, must be required to sign a statement saying they have read the policy.
In spite of the fact that most IT employees would rather be waterboarded with bamboo shoots under their finger nails while listening to Barbra Streisand singing in “Yentl” than actually explain something to a user, a solid social-computing safety training class is a powerful preventive measure that will yield benefits. Education can take place in a classroom setting or online; in either case, make sure you know who took the class and who didn’t.
Employees need to understand the risks to their personal information as well as to corporate data and reputation. Training should start with an overview of the threats that are present, progress to the benefits of social networking, and provide detailed examples of what is safe and what is not. Employees should feel free to ask questions, especially because this is somewhat of a gray area where many issues require clarification.
There are technological approaches to protecting users on social networks. Of course, a multilayered, defense-in-depth security strategy should be maintained. This means protecting endpoints, servers, networks and network perimeters. Many of today’s attacks use multiple vectors, so protection must be comprehensive. For example, an imposter may become a user’s Facebook friend and then e-mail him a link to a malware site. Security approaches that could be involved countering this include e-mail filtering, Web filtering and desktop anti-malware. DLP and networking monitoring play a role also.
In addition, more and more upper-layer devices are coming on the market in an attempt to address the security concerns presented by social networks. These range from devices that make background checks on Facebook accounts to sophisticated DPI (deep packet inspection) network devices that scan incoming and outgoing traffic for threats. As expected, a combination of approaches is most potent.
One example of such a product is the recently reviewed FaceTime USG 350. This 1U (1.75-inch) box monitors instant messaging and Web content, alerting and blocking when it discovers dangerous communications. In my testing, I coupled the FaceTime USG 350 with a Blue Coat Systems ProxySG 200 via ICAP to provide complete packet analysis, both unencrypted and SSL (Secure Sockets Layer) encrypted, and a client proxy solution. I easily configured a wide variety of hierarchical policies using regular expressions to prevent sharing of personally identifying information. For example, “XXX-XX-XXXX” blocks transmission of Social Security numbers via IM and posts to social network sites. Plus, with the ProxySG 200 I could enable Web content filtering and malware scanning. I configured my firewall to only allow Web traffic to flow to and from the ProxySG 200 and, quite honestly, this combination of protections made me feel safer.
Most businesses can benefit from social networking, so simply banning these sites does your marketing and customer relations teams a disservice and leaves a huge door open for competitors. Embrace the triumvirate of security-policy, education and technology controls-to help minimize the risks presented by this growing phenomenon.