Risk
5/20/2014
12:00 PM
John W. Pirc
John W. Pirc
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

6 Tips For Securing Social Media In The Workplace

Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.

The use of social networking, for most people, has become a daily habit or addiction. Initially people used social media primarily outside the workplace to connect with close friends, family and employment opportunities. Today, social media is as pervasive inside the workplace as out and people are tweeting, linking, and connecting -- on company assets, bandwidth, and time.

(Image: Flickr)
(Image: Flickr)

For the corporate security team, this has opened the door to a wide range of vexing issues from heavy users (like me!) who will access Facebook and Twitter on their mobile devices, regardless of policy. But rather than continually fight the trend, I recommend that organizations resign themselves to the fact that employees are going to use social media at work. The solution is to make sure people use social media appropriately and securely. Here are six tips to make that happen.

  • Establish a social media policy and implement training. In every company I’ve worked for, we had a social media policy. The following link on social media governance provides examples of policies that are being used by large companies across most industry verticals. Additionally, in the onboarding process for new employees and contractors, companies should provide the social media policy and have them sign off that they have read it and understand the policy. I would also recommend quarterly training for organizations’ public-facing employees who represent the company in outbound communications.
  • Promote the use of strong passwords. This should be the first thing covered in policy. Passwords should be complex and employees should be reminded that those used for social media should not be the same as their corporate login. I highlight this point because I’ve seen many compromises where the adversary was able to access multiple accounts because individuals used the same passwords for all.
  • Utilize infrastructure security controls such as application control and encryption. There are network security products that have the ability to provide application control of Facebook and Twitter. These controls can range from allowing users to have “read-only” access to things such as Facebook posts and tweets to full access that would allow posting, uploading video and images. Although this type of control is good, it does not work so well when Facebook and Twitter use SSL by default. If your organization doesn’t have a way to decrypt Facebook and Twitter, it is not going to be able to use the application control feature. It’s important to find a network security solution, such as a next-generation firewall or dedicated SSL appliance, that has the ability to decrypt SSL traffic and scale based on your organization's network performance requirements.
  • Choose Web browsers with high malware block rates. Web browsers are most often the first line of defense for protection against malware. There are large differences among the leading browsers in their ability to block it. In 2013 NSS Labs Web browser tests, Internet Explorer 10 had the highest malware block rate at 99.96 percent, followed by Google Chrome at 83.16%. Apple Safari 5, Mozilla Firefox 19, and Opera 12 all lagged behind with block rates around 10% or less.
  • Location-based social media can reveal unintended information. Caution employees about checking into customer or vendor sites on apps such as Facebook or Foursquare, which can reveal competitive information or even merger and acquisition plans.
  • Be careful of posting on LinkedIn. Train employees to refrain from posts that include information about their job duties, since the posts could shed a light on the sensitive projects they are working on. Additionally, if the company is involved in a merger or acquisition, executives shouldn’t accept LinkedIn requests from the company and direct peers they are visiting.    

While some of these best practices may seem like "no brainers,” it’s important to remind employees of them because, let’s face it, we all forget and become lax at times. It’s also important to help employees understand that while we can control what we post, we can’t always control what other people will do with the information, images, and links we share. 

If companies lay out simple best practices for employees, they can save the organization from becoming a statistic. The best example I can leave you with is a reminder of the financial damage that can be done to financial markets in 140 characters or less. In 2013, the Syrian Electronic Army caused the Dow Jones Industrial Average to drop based on one tweet they posted through a compromised CNN Twitter account.

Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.  

John Pirc is a noted security intelligence and cybercrime expert, an author, and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, <i>Blackhatonomics: An Inside Look at the Economics of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
stuartjacklin
50%
50%
stuartjacklin,
User Rank: Apprentice
9/19/2014 | 3:04:50 AM
Opinion
It's necessary to use Social media websites and Gmail securely on work .The most important thing that can be done is frequently change your passwords and use of  secure browsers can help you to protect your data .

 

www.pitchussocial.com
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 11:05:21 AM
Re: Secure your social
The point about LinkedIn I think was just brought home by the situation with the Iranian hackers. It is important for organizations, particularly defense and financial organizations, not to underestimate how much social networking sites can be used for the purposes of recon for attackers.

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/22/2014 | 4:04:26 PM
Re: Training
I do think that today most employees today are aware of the risks from social media in the workplace (and at home) but it's easy to fall into bad practices. Technology solutionsn like using Web browsers with high malware block rates seem to me like a no brainer from the IT side. And putting the onus on employees to avoid location-based social media on their corporate mobile devices doesn't seem to onerous. LinkedIn, on the other hand, would require more of an effort in user education. 
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
5/22/2014 | 2:40:19 PM
Re: Secure your social
Thank you Shawn. This point was tied to an actual use case. The amount of data you can mine within LinkedIn isn't only tied to M&A but also employee moral.  When I typically get request to provide recommendations, usually shortly after I gave the recommendation they left their job for another opportunity. Again, I appreciate your commnets.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
5/22/2014 | 2:31:49 PM
Re: Social media corporate policy
Thank you this is great insight.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
5/22/2014 | 8:00:14 AM
Re: Training
It's so easy to say but much harder to do. You have to put time aside for this. That is the toughest part. Real world examples would help. Many that post things about the company don't even realize it, and unless you show them hard examples, they may not get it.

Some kind of interactive piece would also help... Even if that is just asking questions, Get them involved somehow.
jpizzle
50%
50%
jpizzle,
User Rank: Apprentice
5/22/2014 | 6:58:32 AM
Re: Training
Thank you Paul! I couldn't agree with you more.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 2:44:15 PM
Re: Training
Finding the happy medium of training that is not too technical or too long -- yet still is effective -- sounds like a pretty tall order. Does anybody want to share their best practices (or lessons learned)? 
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
5/20/2014 | 7:03:11 PM
Training
Training to backup the company policy is a must. You can put all you want in the policy, people just are not going to read it. You could say that it's their problem if they don't read it but it can make major headaches for IT staff if they do something they shouldn't. Training and talking about it helps alot. Keep the training short and to the point, don't get to technical and you can make your job easier.
cumulonimbus
50%
50%
cumulonimbus,
User Rank: Apprentice
5/20/2014 | 5:34:19 PM
Social media corporate policy
If you think that bad news travels 10x as fast as good, then perhaps a good social media policy is minimalistic? I agree that companies need a "firm but fair" policy for social media, and to educate on the downside. I have seen corporate policies that attempt to limit access to certain sites using third party taxonomy, but I am not sure this works as a moral quotient. In the end it comes down to exercising good judgement through emotional intelligence. Thanks for a great article.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.