Early this year I wrote a white paper, as well as a higher level op-ed column, on how government agencies can become more comfortable allowing access to public social networks by deploying proper policies, processes, and technology to mitigate many of the risks present in social media. While this particular paper was written for a government audience, many of the main points are applicable to all organizations--public or private sector.
Social networks, particularly public ones, have become part of the fabric of how we communicate and collaborate as a society. With value from micro-level personal networking to macro-level outreach, social networking has become pervasive in peoples' lives and is now becoming a significant driving force in business. The shared experience it delivers has changed the Web from informational to collaborative, enabling faster information sharing and quicker feedback cycles across a much broader audience. These new platforms have provided new approaches to many critical enterprise functions including identifying, communicating, and gathering feedback with customers (e.g., Facebook, Ning); locating expertise (e.g., LinkedIn); providing new communication platforms (e.g., twitter); and collaborating with a community, small or large (e.g., wikis).
With these benefits, the business benefits of social networking are definitely compelling, and becomes even more so when you examine the existing communities. There are now more than 400 million active users of Facebook, over 100 million users on Twitter, and over 65 million members on LinkedIn. It is hard for any organization to ignore the ability to reach their audience in such a concise and collaborative fashion.
However, many organizations have stayed away from these potential benefits, because of the significant risks associated with these sites. In general, I see four main areas of risk to an organization regarding the use of social media (there are more detailed definitions in the white paper):
1. Unapproved users speaking on the organization's behalf
2. Inappropriate posting of sensitive information
3. Malicious code/exploit distribution
4. Social engineering to exfiltration of sensitive information
However, information security cannot always be about saying no, but is most successful when it enables the organization to evolve and advance while ensuring good risk management principles are implemented. Historically, risk management decisions may have supported preventing the use of social media historically, and for certain organizations perhaps that may still be the case today. However, I believe that many organizations now have the ability to mitigate many of these risks, enabling them to gain business value from the reach and collaboration provided. Below I've detailed the key areas I believe an organization should focus on to help address the above risks.
To be clear, this is more than just applying technology to address risk. Technology alone cannot solve the problem. I am very proud of the fact that Fidelis took a leadership role in helping manage social networking use and content disclosure, releasing this functionality over a year ago. However, technology is just one aspect required, so this list also covers organizational policy issues and end user education and training.
1. Ensure existing employee codes of conduct polices cover social networking.
2. End user training on benefits, risks, policies, and organization goals on the use of social networking applications.
3. Create official profiles for the organization and key executives on the major social networking sites.
4. Ensure security solutions at the network and endpoint are inspecting communications to and from social networking sites, and that updates are applied in a timely manner.
5. Implement technical controls controlling how social networking can be used and what content can be posted.
If you'd like to hear more, the entire white paper is available in the Fidelis XPS Resource Center, or please feel free to contact us!
