Wednesday, March 28, 2012

Social Media Security Best Practices

Facebook, Twitter, LinkedIn and other social media platforms are invaluable tools for 21st century enterprise collaboration and marketing, but they introduce multiple security hazards that organizations struggle to address. Dangers include confidential data leakage, reputational damage, social engineering opportunities for hackers, malware, and lawsuits stemming from inappropriate use by employees who see social media as platforms for personal expression.

Prohibiting social media use is not an option for organizations looking to be on the cutting edge of technology and marketing and to attract younger, more tech savvy job seekers. Instead, these companies have to address the challenges of social media the best way they can with education, policy, and technology. Here are some best practices to consider.

Education

Social media users tend to see Facebook and Twitter as a vehicles for personal expression and often don’t understand the risks they pose to your organization. You can put policies and tools in place, but if your employees don’t buy or understand the logic behind them they won’t comply. It’s important to educate employees about social media hazards, including those listed above.

Reputational damage and data leakage are two of the risks organizations find most difficult to control. They need to educate users that anything they say about any company’s products, customers or any town or city’s inhabitants may be seen as opinions expressed by the organization they work for. Any personal profile information about their title or organizational role or details they divulge about company initiatives, travel, technologies, or management may be used by hackers for social engineering or phishing purposes. Inappropriate use of social media for bullying, harassment, or racist purposes may subject employees or your organization to lawsuits. Users should also understand that postings on these sites will be there for a long time, possibly forever.

Users also have to be extra vigilant about friending bogus Facebook accounts. A perfect example is a bogus account impersonating NATO supreme Allied commander Admiral James Stavridis, which was used by hackers to harvest thousands of sensitive user photos, phone numbers, and email addresses for social engineering attacks. It’s important to reinforce education periodically through additional seminars or emails and to draw attention to social media exploits that get significant media coverage.

Policy

Every organization should have acceptable use policies for general Web use and social media that detail which social media sites are acceptable for use by whom, for what purpose they are acceptable, and what types of behavior are not permitted on these sites. Spell out what confidential information should not be revealed by employees on these sites, what information should not be included in profiles, and how to use disclaimers for any personal opinions expressed by an employee. You may want to have specific policies for sites such as Facebook, which have unique privacy concerns and controls. Your policy should also spell out disciplinary actions that will be taken if policies are not followed.

Users should also be cautioned not to use their work user names and passwords for public social media sites and to use caution when clicking on Facebook links or downloading applications. If necessary you can forbid and block Facebook downloads. You may also want to consider a different set of policies for human resources, marketing, sales, or any department for which social media can be a benefit versus other departments. Make sure you get employee input when devising your policy so that it’s practical and likely to be followed.

Tools

Tools are essential for controlling and monitoring social media use, but they are not a substitute for education and policy. Several security tools and services can be applied to social media use with varying success. Some of these are gateway and endpoint anti-malware solutions, web use monitoring and filtering tools, and social media aware data loss prevention tools. Make sure you don’t neglect tools that can apply policy to smart phones and other non-PC devices.

Social media security is a work in progress, so make sure you follow the trends and solutions as they evolve.

For more on how McAfee technology solutions can help prevent both malicious and careless social media incidents, be sure to read the McAfee whitepaper Securely Enabling Social Media, and follow McAfee’s own social media team, @McAfeeBusiness, on Twitter. 

By Leon Erlanger