The use of social networking, for most people, has become a daily habit or addiction. Initially people used social media primarily outside the workplace to connect with close friends, family and employment opportunities. Today, social media is as pervasive inside the workplace as out and people are tweeting, linking, and connecting -- on company assets, bandwidth, and time.
For the corporate security team, this has opened the door to a wide range of vexing issues from heavy users (like me!) who will access Facebook and Twitter on their mobile devices, regardless of policy. But rather than continually fight the trend, I recommend that organizations resign themselves to the fact that employees are going to use social media at work. The solution is to make sure people use social media appropriately and securely. Here are six tips to make that happen.
- Establish a social media policy and implement training. In every company I’ve worked for, we had a social media policy. The following link on social media governance provides examples of policies that are being used by large companies across most industry verticals. Additionally, in the onboarding process for new employees and contractors, companies should provide the social media policy and have them sign off that they have read it and understand the policy. I would also recommend quarterly training for organizations’ public-facing employees who represent the company in outbound communications.
- Promote the use of strong passwords. This should be the first thing covered in policy. Passwords should be complex and employees should be reminded that those used for social media should not be the same as their corporate login. I highlight this point because I’ve seen many compromises where the adversary was able to access multiple accounts because individuals used the same passwords for all.
- Utilize infrastructure security controls such as application control and encryption. There are network security products that have the ability to provide application control of Facebook and Twitter. These controls can range from allowing users to have “read-only” access to things such as Facebook posts and tweets to full access that would allow posting, uploading video and images. Although this type of control is good, it does not work so well when Facebook and Twitter use SSL by default. If your organization doesn’t have a way to decrypt Facebook and Twitter, it is not going to be able to use the application control feature. It’s important to find a network security solution, such as a next-generation firewall or dedicated SSL appliance, that has the ability to decrypt SSL traffic and scale based on your organization's network performance requirements.
- Choose Web browsers with high malware block rates. Web browsers are most often the first line of defense for protection against malware. There are large differences among the leading browsers in their ability to block it. In 2013 NSS Labs Web browser tests, Internet Explorer 10 had the highest malware block rate at 99.96 percent, followed by Google Chrome at 83.16%. Apple Safari 5, Mozilla Firefox 19, and Opera 12 all lagged behind with block rates around 10% or less.
- Location-based social media can reveal unintended information. Caution employees about checking into customer or vendor sites on apps such as Facebook or Foursquare, which can reveal competitive information or even merger and acquisition plans.
- Be careful of posting on LinkedIn. Train employees to refrain from posts that include information about their job duties, since the posts could shed a light on the sensitive projects they are working on. Additionally, if the company is involved in a merger or acquisition, executives shouldn’t accept LinkedIn requests from the company and direct peers they are visiting.
While some of these best practices may seem like "no brainers,” it’s important to remind employees of them because, let’s face it, we all forget and become lax at times. It’s also important to help employees understand that while we can control what we post, we can’t always control what other people will do with the information, images, and links we share.
If companies lay out simple best practices for employees, they can save the organization from becoming a statistic. The best example I can leave you with is a reminder of the financial damage that can be done to financial markets in 140 characters or less. In 2013, the Syrian Electronic Army caused the Dow Jones Industrial Average to drop based on one tweet they posted through a compromised CNN Twitter account.
Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.