Evaluating Corporate Social Media Strategies

November 10, 2009 by ADMIN

Share |

Daniel Wallace, Information Security Consultant at Grow Forward

How vendors, integrators and consultants can position themselves to support CISO’s with corporate social media adoption…

In the past I have written articles and advised CISO’s on how social media technology can be used as a vehicle for information security awareness.

Recently I was interviewed by Nicole D’Amour of Search Security Channel for a podcast where I openly advocate the use of social media tools in the enterprise and describe how 3^rd party information security vendors can assist their customers in securely adopting this technology.

I understand that this view puts me at odds with much of the information security community as I’ve seen survey statistics that indicate as many as a third of large corporations block the use of social networking sites.

I would like to see the security function and the CISO in particular taking the lead in helping the business leverage the full potential of social media.

Information security vendors, integrators and consultants should position themselves to support their customers in this regard.

Vendors, integrators and consultants in the information security space should not try and overcome a CIO or CISO’s aversion to adopting social networking technology in the workplace.

The CIO/CISO’s business stakeholders will likely work to overcome internal obstacles to social media adoption.

HR already knows that Facebook and LinkedIn are great tools for sourcing and screening candidates.

Customer-facing functions such as sales, marketing, public relations and customer service are coming to realize that customers want to engage in a dialogue not a monologue and social media is a great facilitator of this two way communication.

An IT manager that becomes an obstacle to adoption of social media based on security concerns is likely to eventually lose the support of key business constituents.

Once this happens the vendor community is going to be asked more for their opinions as they learn to support products beyond the traditional boundaries of the enterprise such as social networking.

3^rd party vendors are in the best position to share customer experiences, both successful and otherwise.

Examples of Companies Embracing Social Media

The notion that social media sites are little more than a trendy consumer oriented technology is misguided.

The personal computer was invented in the 1970s as a consumer electronic but now occupies a prominent place in corporate cubicles, conference rooms and offices everywhere.

Social media sites may have been invented for college students to swap pictures but now these sites are translating into real business. For example, Ford Motor Company has an executive in charge of social media.

Zappos encourages all of their employees to have Twitter accounts so they can interact with current and potential customers.

Zappos actually trains their employees on the proper use of Twitter during new-hire orientation and the CEO of the company, Tony Hsieh has over 1.2 million followers including myself.

IBM has a social media policy document is available online which encourages employees to blog and participate in social media forums and sets clear perimeters for acceptable behavior.

Macy’s has a Facebook site and an invitation to “friend” the department store is displayed prominently on the landing page of the retailer’s website.

Both Barrack Obama and John McCain had LinkedIn profiles for the 2008 presidential campaign.

Starbucks, Amazon.com Whole Foods and CNN are household name brands that have a significant presence on Twitter.

Social media presents a long term growth opportunity for vendors, integrators and consultants whose products and competencies are perceived as mitigating the risks inherent in emerging social media technologies.

Social Networking Risks

It is important for anyone selling in the security space to have at least a basic understanding of social networking and social media risks.

An April 2009 survey commissioned by RSA of 100 top security executives at companies with revenues of $1 billion or more found that 70% of survey respondents reported experiencing a security issue in the last 18 months as a result of the increased use of social media and mobility tools.

The most prominent risks are either technical or social in nature.

Technical breaches occur primarily through web application security weaknesses or by end users uploading and/or downloading inappropriate content.

Social threats relate to malicious outsiders tricking unsuspecting employees into doing something that will assist them in successfully carrying out their attacks.

Disgruntled insiders can also be a source of social threats as can well-meaning employees who are uninformed or misguided with respect to handing themselves and company business on social networking platforms.

Specific examples of security related social media risks and exposures include the following:

Malware Infestation: The most common cause of a security incident relating to social media use is largely a technical risk.

Malware infestation can happen when an end user intentionally or unintentionally does something that causes viruses, spy ware and malware to be uploaded to their computer.

Ads and banner advertisements have malware and hidden codes behind them; shortened URLs can be a source of malware as can legitimate sites that have been contaminated through SQL injection.

Data Breach or Leakage: The second most common type of social networking security risk has largely been exploited using social techniques.

Employees may discuss confidential customer or internal matters on social networking sites by their own volition.

On the other hand individuals associated with a company may be targeted by a social engineering scam and tricked into divulging organizational secrets.

Data Breach incidents that involve social networking tools as part of the attack vector have thus far tended to be more isolated than incidents that attack an access point such as a wireless device or another type of network intrusion.

Identity Theft: The third most common social networking security risk is both technical and social. Some social media sites allow third-party applications to run that have access to a user’s profile credentials.

The application may actually take over the account or pass the credentials on to someone else.

Think about what kind of risk that brings to a company with an official social networking presence or an individual using social networking in an official capacity.

Then there is the age old problem of users sharing their userids and passwords with other people. I think everyone understands why that isn’t a good idea and the problems that can cause.

Legal Problems: Most business activities have legal ramifications and social media is no exception., and legal issues can arise when an organization does not adequately address social media with company policy.

Less than half the companies in the RSA survey had developed a policy governing social media in the organization.

Eric B. Meyer, an Associate in the Labor and Employment Group of Dilworth Paxson LLP, recently discussed in an article appearing on Mashable on what companies should consider from a legal perspective in developing a social media policy.

He states:

Employers need to be upfront with employees that they have no right to privacy with respect to social networking. “Employers reserve the right to monitor employee use of social media regardless of location (i.e. at work on a company computer or on personal time with a home computer).”
Employees “should be made aware that company policies on anti-harassment, ethics and company loyalty extend to all forms of communication (including social media) both inside and outside the workplace.” People need to remember that bashing your organization/boss/co-workers online can lead to consequences at work.

What about business reputation?: Back in April a couple of Dominos Pizza employees filmed themselves doing vile and disgusting things to food that presumably would be served to a customer then posted the video on YouTube.

The incident received widespread media attention and the employees involved were fired.

A disgruntled employee may seek to take revenge on their employer by discrediting the reputation of the company on a social networking site.

Social networking sites are easy to use and one doesn’t need to be IT savvy to create content that later goes “viral”.

What can VAR’s do to help customers address these risks?

Product vendors, OEM’s and resellers need to be prepared to demonstrate to their customers how technologies such as anti-virus, anti-malware, web filtering, white/blacklists, network monitoring, DLP and perimeter device controls can be leveraged to minimize the technical risks inherent in social networking notably malware infestation, data leakage and data breach.

CIO’s and CISO’s are aware of the risks I’ve described and they are going to be asked by their business stakeholders to develop a plan to address them.

This plan will likely need to be more encompassing than merely blocking social media sites at the firewall.

Vendor’s with the answers that will enable their customer contacts to develop the tactical and strategic plans that business demands are likely to be perceived as bringing value to the table.

Service vendors and professional practice consultants should prepare to advise their clients on policy matters.

Clients will likely need assistance and guidance on developing enterprise wide social media policies and guidelines for employees.

Once the policy is created there needs to be a follow on awareness and education program so employees clearly understand what is expected of them.

Service providers can create value for the client by building a competency grounded in experience around governing social media - including social media specific policy considerations, the impact of social media technology on other more common policies such as incident response and a framework , or perhaps tools for rollout and awareness.

These types of solutions will address many of the social risks that technology cannot easily mitigate such as social engineering attacks, leaks by well-meaning employees and reputational exposure.

Finally, a new and evolving service and product area is online reputation management or ORM.

ORM is the practice of consistent research and analysis of a company’s or industry’s reputation as represented by the content across all types of online venues including social media.

The explosive growth in social media has fueled growth in the ORM space.

From a security perspective ORM gives companies the capability to monitor what is being said about them in the wild and what employees are saying on blogs and social media sites.

Vendors that have products which enable customers to perform this function more efficiently or service providers who can demonstrate proficiency will have a very compelling value proposition.

* * *

Stay Informed With ISR News Alerts:

* * *

Daniel P Wallace is an information security consultant, project manager and blogger based in Detroit, MI. As Principal Consultant of Grow Forward, LLC he advises organizations throughout the United States on matters of information security strategy and tactical execution. He can be reached at dwallace@growforwardllc.com or (734) 259-4858.

Linkedin - http://www.linkedin.com/in/wallacedan

Twitter – http://twitter.com/dpwallace

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.