Risk
5/20/2014
12:00 PM
John W. Pirc
John W. Pirc
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

6 Tips For Securing Social Media In The Workplace

Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.

The use of social networking, for most people, has become a daily habit or addiction. Initially people used social media primarily outside the workplace to connect with close friends, family and employment opportunities. Today, social media is as pervasive inside the workplace as out and people are tweeting, linking, and connecting -- on company assets, bandwidth, and time.

(Image: Flickr)
(Image: Flickr)

For the corporate security team, this has opened the door to a wide range of vexing issues from heavy users (like me!) who will access Facebook and Twitter on their mobile devices, regardless of policy. But rather than continually fight the trend, I recommend that organizations resign themselves to the fact that employees are going to use social media at work. The solution is to make sure people use social media appropriately and securely. Here are six tips to make that happen.

  • Establish a social media policy and implement training. In every company I’ve worked for, we had a social media policy. The following link on social media governance provides examples of policies that are being used by large companies across most industry verticals. Additionally, in the onboarding process for new employees and contractors, companies should provide the social media policy and have them sign off that they have read it and understand the policy. I would also recommend quarterly training for organizations’ public-facing employees who represent the company in outbound communications.
  • Promote the use of strong passwords. This should be the first thing covered in policy. Passwords should be complex and employees should be reminded that those used for social media should not be the same as their corporate login. I highlight this point because I’ve seen many compromises where the adversary was able to access multiple accounts because individuals used the same passwords for all.
  • Utilize infrastructure security controls such as application control and encryption. There are network security products that have the ability to provide application control of Facebook and Twitter. These controls can range from allowing users to have “read-only” access to things such as Facebook posts and tweets to full access that would allow posting, uploading video and images. Although this type of control is good, it does not work so well when Facebook and Twitter use SSL by default. If your organization doesn’t have a way to decrypt Facebook and Twitter, it is not going to be able to use the application control feature. It’s important to find a network security solution, such as a next-generation firewall or dedicated SSL appliance, that has the ability to decrypt SSL traffic and scale based on your organization's network performance requirements.
  • Choose Web browsers with high malware block rates. Web browsers are most often the first line of defense for protection against malware. There are large differences among the leading browsers in their ability to block it. In 2013 NSS Labs Web browser tests, Internet Explorer 10 had the highest malware block rate at 99.96 percent, followed by Google Chrome at 83.16%. Apple Safari 5, Mozilla Firefox 19, and Opera 12 all lagged behind with block rates around 10% or less.
  • Location-based social media can reveal unintended information. Caution employees about checking into customer or vendor sites on apps such as Facebook or Foursquare, which can reveal competitive information or even merger and acquisition plans.
  • Be careful of posting on LinkedIn. Train employees to refrain from posts that include information about their job duties, since the posts could shed a light on the sensitive projects they are working on. Additionally, if the company is involved in a merger or acquisition, executives shouldn’t accept LinkedIn requests from the company and direct peers they are visiting.    

While some of these best practices may seem like "no brainers,” it’s important to remind employees of them because, let’s face it, we all forget and become lax at times. It’s also important to help employees understand that while we can control what we post, we can’t always control what other people will do with the information, images, and links we share. 

If companies lay out simple best practices for employees, they can save the organization from becoming a statistic. The best example I can leave you with is a reminder of the financial damage that can be done to financial markets in 140 characters or less. In 2013, the Syrian Electronic Army caused the Dow Jones Industrial Average to drop based on one tweet they posted through a compromised CNN Twitter account.

Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.  

John Pirc is a noted security intelligence and cybercrime expert, an author, and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, <i>Blackhatonomics: An Inside Look at the Economics of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 11:05:21 AM
Re: Secure your social
The point about LinkedIn I think was just brought home by the situation with the Iranian hackers. It is important for organizations, particularly defense and financial organizations, not to underestimate how much social networking sites can be used for the purposes of recon for attackers.

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/22/2014 | 4:04:26 PM
Re: Training
I do think that today most employees today are aware of the risks from social media in the workplace (and at home) but it's easy to fall into bad practices. Technology solutionsn like using Web browsers with high malware block rates seem to me like a no brainer from the IT side. And putting the onus on employees to avoid location-based social media on their corporate mobile devices doesn't seem to onerous. LinkedIn, on the other hand, would require more of an effort in user education. 
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
5/22/2014 | 2:40:19 PM
Re: Secure your social
Thank you Shawn. This point was tied to an actual use case. The amount of data you can mine within LinkedIn isn't only tied to M&A but also employee moral.  When I typically get request to provide recommendations, usually shortly after I gave the recommendation they left their job for another opportunity. Again, I appreciate your commnets.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
5/22/2014 | 2:31:49 PM
Re: Social media corporate policy
Thank you this is great insight.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
5/22/2014 | 8:00:14 AM
Re: Training
It's so easy to say but much harder to do. You have to put time aside for this. That is the toughest part. Real world examples would help. Many that post things about the company don't even realize it, and unless you show them hard examples, they may not get it.

Some kind of interactive piece would also help... Even if that is just asking questions, Get them involved somehow.
jpizzle
50%
50%
jpizzle,
User Rank: Apprentice
5/22/2014 | 6:58:32 AM
Re: Training
Thank you Paul! I couldn't agree with you more.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:44:15 PM
Re: Training
Finding the happy medium of training that is not too technical or too long -- yet still is effective -- sounds like a pretty tall order. Does anybody want to share their best practices (or lessons learned)? 
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
5/20/2014 | 7:03:11 PM
Training
Training to backup the company policy is a must. You can put all you want in the policy, people just are not going to read it. You could say that it's their problem if they don't read it but it can make major headaches for IT staff if they do something they shouldn't. Training and talking about it helps alot. Keep the training short and to the point, don't get to technical and you can make your job easier.
cumulonimbus
50%
50%
cumulonimbus,
User Rank: Apprentice
5/20/2014 | 5:34:19 PM
Social media corporate policy
If you think that bad news travels 10x as fast as good, then perhaps a good social media policy is minimalistic? I agree that companies need a "firm but fair" policy for social media, and to educate on the downside. I have seen corporate policies that attempt to limit access to certain sites using third party taxonomy, but I am not sure this works as a moral quotient. In the end it comes down to exercising good judgement through emotional intelligence. Thanks for a great article.
ShawnB287
50%
50%
ShawnB287,
User Rank: Apprentice
5/20/2014 | 1:05:32 PM
Secure your social
Thanks John for this post. I especially like the point about posting details to LinkedIn It's frightening how many organizations do not consider social media an organizational threat.  
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.