Social networking sites themselves are not generally a concern; it is the behavior of the users that presents a risk;
When considering the possibility of leakage of confidential information or intellectual property, exposure through word of mouth can be hard enough to control, but words can be forgotten. An individual making a comment on the Internet to an audience of thousands greatly increases this threat, and posts can be found through a search engine indefinitely;
Viruses and worms are often incorporated into fake profiles, e-mails or postings from social network ‘Friends.’ Careless use could lead to inadvertent downloading of malware, spyware, adware or ransomware, or even the hijacking of the account; and
There is a threat of exposure to offensive web content via links contained in e-mails, posts and tweets.
After reviewing these risks and benefits, there are several options available to businesses when considering the use of social networks.
Allow unrestricted access to social networking sites:providing employees with unrestricted access could boost morale; however, there is the potential for this access to be exploited;
Allow restricted access to specific sites and/or at specific times:Allowing employees access to certain sites, perhaps those designed for business networking, or allowing access to personal sites only outside of business hours or during lunch;
Allow access to social networking sites only to those authorized to use a business profile: for example, marketing teams that update the site with business-related information;
Block access to all non-business related sites for all employees:only allow access to sanctioned business-related programs; and
Block Internet access to all:This is an unlikely option since many companies now use internet based programs for day to day operations.
Creating a Social Networking Policy
For those businesses that decide to use or allow access to social networking sites, it is crucial to implement and maintain a social networking policy. The policy will provide employees with guidance so that they are accountable for their actions. While specific components of the policy will vary dependant on the nature of the organization and how it uses social networking, there are several elements that should form the basis for any social media plan.
1. Guidelines and Restrictions
It is important to establish a level of control that provides protection while allowing the informality that is the foundation of social networking. Business data should be classified so that employees are fully aware of what sensitive information is and what can and can’t be mentioned on profiles or in posts. Also, determine who is authorized to access corporate content and modify accounts on behalf of the company.
Remember that mobile devices such as smartphones and tablet PCs are also at risk from hackers, so be sure to specify if employees are permitted to access social networking from these devices.
2. Education and Training
Educating employees on the acceptable use of social media is essential to reducing the risks. Each employee represents the company, and a thoughtless tweet about a product launch or personnel change has the potential to damage reputations.
Consider limiting the posting of corporate data unless authorized and clearly state the consequences of failure to follow policy: disciplinary or dismissal procedures can be implemented for employees who violate policies. Although this may seem heavy handed, prevention is always better than cure.
Once a policy has been approved, it is important to monitor the activity relating to the business. Check the networks for the company or product names and find out what is being said. If customers are losing faith in the company, take the opportunity for promotion by addressing concerns. Failure to monitor on a regular basis could lead to loss of sales and damage to reputation. Monitoring can also be an opportunity to see what people are interested in, helping to shape future campaigns.
4. Maintenance and Updates
It is worth remembering that unless your web security software is capable of fulfilling the requirements stated in the policy, the policy itself will be useless. Regular reviews of software capabilities, changes to programs and security settings should be undertaken.
5. Incident Response Plan
If a business faces a crisis -- for example, loss of systems or product faults -- an incident response plan should include measures for addressing issues via social media. Recalling products and providing updates on service availability can provide customers with assurance that the issue is being dealt with. If handled swiftly and correctly this action could limit the impact on reputation.
Social networking has evolved so rapidly that many companies struggle to keep up with the changes and subsequent implications. The growth shows no signs of slowing, so it is important to remain vigilant to the threats. Education is essential across all levels of the business to ensure that the advantages of using social media are not negated by the risks.
CS Risk Management is exhibiting at Infosecurity Europe 2013, April 23 – 25. For further information, please visit www.infosec.co.uk.