Stephanie Jordan's blog

More and more today, for the corporate user, social networking is giving way to social business, and along with it, experts predict, will be specific social media law and regulations.

A recent eWeek article, IBM Gets Down to Social Business, points to how “Social networking, and its social-business offspring, has become a fashionable field of study at universities. Student projects often focus on using social networks to solve everyday and business-related problems.” The story notes how students are using social-business projects for their master’s thesis.

As social networking becomes more tightly woven into business processes, it is no surprise that greater regulation is anticipated. Well known legal firm Morrison & Foerster (MoFo) recently launched a new blog called Socially Aware, “to help companies understand the legal implications of social media use – including privacy protection for workers’ Facebook musings, securities laws governing blog postings, or the confidentiality of instant messaging.”

This blog may sound familiar, as it is a companion to the firm’s Socially Aware newsletter. While it is still emerging, social media law is a high interest area for Fortune 500 companies. Morrison & Foerster’s Social Media Practice Group says it advises companies and financial institutions across industry sectors on social media law, regulation and policy affecting privacy, data security, intellectual property, employment, securities, advertising, defamation, online contracting, user-generated content and use of social media in the workplace.

According to the blog, there will be “an explosion of employment law disputes involving social media this year.” John Delaney, a founding editor of Socially Aware and co-chair of Morrison & Foerster’s Social Media Practice Group, believes everyone from Fortune 500 companies to mom-and-pop neighborhood stores are rushing to embrace social media, and says the medium is perhaps the greatest tool for reaching customers since the creation of the World Wide Web.

Delaney warns however, “Corporate users of social media need to be aware of emerging intellectual property, privacy, employment law and other legal risks associated with social networks. This is an area where implementing a few protective measures today will help a company avoid expensive legal headaches in the future.”

In 2012, companies that have been slow to adopt social media, MoFo expects, will begin to do so. Notes a blog entry, “We will see even the most conservative Fortune 500 companies adopting internal, company-wide social media platforms of the type offered by Jive, NewsGator and SocialText. In 2013 and beyond, we’ll be seeing a new generation of privacy, employment, defamation and other legal claims arising out of these enterprise social platforms.”

It won’t be just companies that will experience an increase in social media law activity. MoFo says that regardless of Facebook’s recent settlement with the FTC over its data collection practices, the firm anticipates still further privacy law headaches for social media companies. “Many social media providers, anxious to justify astronomical valuations, are undoubtedly feeling pressure to make more aggressive use of personal information collected from customers.” MoFo predicts we will witness much more in 2012, especially by European regulators.

Even though social media law is not “new” — just look at the blog’s interesting Key Moments in Social Media Law that begins with an entry for 1984 — it is clearly building in complexity, especially as it pertains to privacy and content ownership rights.

Increasing regulation and litigation mean that email archiving is becoming essential for companies of all sizes and in all industries—not just for finance, health care, and government. Deborah Galea, COO and co-founder of Red Earth Software recently shared with me five common mistakes that SMBs make when thinking about email archiving

Mistake One: Thinking small companies do not need an email archiving solution. Civil litigation can hit any company at any time, and if you cannot provide emails during the eDiscovery process, you could get hit with major financial sanctions. It’s also important to archive emails in the event of any sort of employee dispute, such as a layoff or a firing. Protect your company and make sure to have an email retention policy in place.

Mistake Two: Putting off implementing an email archiving system to save on costs. Although there are certainly a lot of expensive email archiving systems out there, more cost effective solutions are now becoming available. Cost is really no excuse anymore for not having an email archiving solution in place.

Mistake Three: Having only one employee knowledgeable about the system. Employees come and go and you don’t want only one person, such as a lone IT manager, knowing how to update and troubleshoot the system. Make sure all employees are aware of the email retention policy and make sure more than one person is able to use it effectively.

Mistake Four: Not having a data map. It is important to know what kind of electronic data your company has, where it is located and how to access it. Any company, large and small, should have an eDiscovery data map (view sample data map) to ease eDiscovery requests and to help meet retention guidelines.

Mistake Five: Not regularly testing or updating the system.  An email archiving solution is useless if it has any downtime or is out-of-date. Make sure that the system is spot-checked regularly and remember that this is not a “build it and forget it” project.

As Galea notes: “Even just a few years ago, many companies had no idea what email archiving entailed. Fast forward a few years and most companies know that they need to have an email archiving solution in place.”

Whether you are moving from knowing you need an email archiving system to actually implementing one or if you already have one, these five common mistakes are good review for us all.

Do your users take IT security seriously? A recent poll would indicate many workers do not. This trend is not exclusive to the U.S with the poll including respondents from around the globe. What the poll reflects is that employees look to IT to be the responsible ones, and in today’s climate of sophisticated attacks, speed and connectivity, it really should be in every employee’s job description to adhere to security policies and be a part of protecting the company from outside threats.

The poll was conducted earlier this fall by Avira, a German antivirus software company and published last week. The company asked three questions under the heading of: How careful are you when it comes to IT security in your company? There were 991 respondents with the majority (717) of the respondents being either German, English or Russian speaking.

1) We have strict and detailed policies for IT security and the entire company takes care to follow all the policies in order to protect the company - 38.95 percent of the respondents who answered this question agreed.

2) We have security policies, but I don’t think anybody cares if we follow the policies or not -  35.42 percent of the respondents who answered this question agreed.

3) I don’t think about IT security at all; our system administrators are responsible for security so it’s not my concern. - 25.63 percent of the respondents who answered this question agreed.

The employee attitude of question two and three is essentially saying to IT, “it’s not my job.” This is where the need for employee education becomes more critical.

Hopefully, most organizations these days have published messaging policies that cover everything online - from mobile, to social media, to email and Web. Providing that is in place, making sure that employees are more aligned toward that question one camp (“… the entire company takes care to follow all the policies in order to protect the company”) takes effort.

“When we see that less than 40 percent of workers take IT security seriously while at work, we know there is more to be done when it comes to educating people about IT security,” said Sorin Mustaca, data security expert at Avira. “Holding regular employee sessions to address the importance of staying vigilant while at work to make sure nothing happens to the corporate or small business network is equally important.”

Recommendations for Employee Education

Mustaca believes that using recent scary statistics of all the bad things out there to try to make employees get on board is not the best tactic. As he thinks the impression would be fleeting and soon forgotten.

Instead Mustaca says, “I can imagine some live sessions demonstrating how malware gets into computers and how users like themselves get infected (the attack vectors). We have malware today that comes via email, gets dropped by simply visiting a web site, gets transmitted via Instant Messaging or gets transmitted because of a vulnerability in a software. It is important to show them also the effects of such an infection. Many malware these days steal or encrypt documents, install keyloggers, steal banking information and so on.”

Phishing is another area that employees need to better understand. Mustaca recommends describing how many methods to get phished exist. “Any user should be able to identify a phishing web site, because this can affect them also when they are home.”

Big company-wide sessions are not ideal believes Mustaca. He recommends that educational sessions be small so that employees are able to concentrate on the facts and ask questions. He also thinks it is very important that the sessions have mixed participation from people with various backgrounds. “This way it can be seen that anyone can be hit if he or she doesn’t pay attention.”

Today, employees are expected to perform tasks at heightened speeds. This has created a daily routine that means employees may take more risks with company information and simply be too busy just getting through their day to pay much attention to company policy or IT security.

Mustaca notes that while he understands people see computers as tools to do their jobs, “I am disappointed to see that a quarter of the users who took the survey are completely ignoring the importance of IT security. If all who access the Internet would fulfill some minimum security requirements then the online world would be a much safer place.”

Unfortunately, many outside of IT do not take messaging security seriously, but perhaps with ongoing user education and smaller-sized training sessions, progress can be made toward enlisting every employee to follow IT security policies.

Messaging, both professionally and personally, would not be complete these days without including social networks. Even those earlier resisters are now relenting and joining social media networks. In Q2 of this year, LinkedIn claimed that membership had climbed from 61 million to 116 million in the span of one year, while reporting revenues of $121 million, which is a 120% increase from revenues posted last year, according to The Radicati Group. The steady growth of social networks, with Facebook clearly leading the pack, parallels the incredible growth of email of days gone by, and just as email became a target for malware and other ills, social networks today are experiencing an increase in threats to security and privacy.

Even though Facebook has been under scrutiny for its privacy policies, people still come to the site in droves. In a recent study by Barracuda Labs, researchers found that one in five people has been negatively affected by information that was exposed on a social network. But is this enough to drop the social network as a messaging medium? No, as another finding points out, ease of use and friends using the network are almost equally valued to privacy and security concerns.

And are companies concerned about security or privacy when employees are online? Of the hundreds that participated in the survey, 86 percent felt that employee behavior on social networks could endanger company security. However, only 31 percent of respondents reported limitations on Facebook. LinkedIn was the least blocked in the workplace at 20 percent of respondents stating limitations being experienced.

Malware is creeping up more and more in social networks, of the survey respondents, one in four has received a virus or malware on a social network. “Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially”, warns Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks.”

This is an area of particular interest to Barracuda Labs, as earlier this year the company launched Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter. For more on the visual report, download The 2011 Social Networking Security & Privacy Study or simply view the beautiful graphics accompanying the information.

October is National Cyber Security Awareness Month. Reports such as this one are good to share with your users and executives. As always, safe messaging.

Homeland Security Secretary Janet Napolitano recently stated that we might be able to keep our shoes on while going through airport security checkpoints in the near future. It seems there is technology on the way that will allow for that. Technology has been responsible for many wonders that improve our lives or at least make things easier. The promise of the Internet was one such stride. But according to a recent comment by Napolitano, while the U.S. is ‘categorically safer’ since 9/11, cyber-terrorism is now at the top of the security concern list.

In today’s world there is a wide range of online threats to safeguard against — identity theft, fraud, hackers, spam, viruses and spyware all come quickly to mind. But the persistent threats that have been experienced this year by RSA, Lockheed-Martin, Google, Sony and a host of other well-known brands and companies make us wonder just how vulnerable are we?

Some experts are claiming that cyber warfare will replace traditional warfare. All that has transpired recently makes that seem less far-fetched than the general populace might have thought a few years ago.

Did you read the interesting interview conducted by Cisco’s Jason Lackey with ex-Anonymous hacker known as SparkyBlaze? If you have only read excerpts the full reading is illuminating. For me getting a sense of what is “ethical” and what is not to this 20-something-year-old was revealing. He gives advice too, which very much parallels what security companies have been saying for years. If you missed these 14 points, here they are again direct from SparkyBlaze:

• Deploy defense-in-depth
• Use a strict information security policy
• Have regular audits of your security by an outside firm
• Use IDS or IPS
• Teach your staff about information security
• Teach your staff about social engineering
• Keep your software and hardware up to date
• Watch security sites for news on computer security and learn what the new attacks are
• Let your sysadmins go to defcon ;D
• Get good sysadmins who understand security
• Encrypt your data (something like AES-256)
• Use spam filters
• Keep an eye on what information you are letting out into the public domain
• Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?

If, like me, you sometimes take for granted all we know about security in messaging and computer security in general, the rest of the world is now starting to wake up to it. The topic is becoming of interest to a wide range of lay-people, let alone legislators and government officials. This current trend has elements of mystery, intrigue, conspiracy and drama. Indeed, a colleague recently brought to my attention a detailed Vanity Fair magazine article that makes some of the recent exploits sound like one big spy novel. What’s the old saying? May you live in interesting times. Well, we sure do.

Data security today, and really for some time now, is no longer just a sys admins job. It is not just a “set it and forget it” appliance. Securing an organization is a complex, on-going battle that needs to be waged with regularity, education and solid company policies. And it isn’t cheap, but it is worth it. 

Monday’s announcement from Google Inc. and Motorola Mobility Holdings, Inc. has the industry Twittering and posting like crazy this week. Google will acquire Motorola Mobility for about $12.5 billion, a premium of 63% to the closing price of Motorola Mobility shares as of Friday, August 12. The announcement of the price this week makes all the more impact when one considers the current Wall Street landscape.

According to the companies, Motorola Mobility, a dedicated Android partner, will “enable Google to supercharge the Android ecosystem and will enhance competition in mobile computing.” In his statement, Google CEO Larry Page welcomed, “Motorolans to our family of Googlers.”

Even with a clear statement in the announcement that declares the roadmap for Android unchanged and fully committed to, there is considerable buzz going around that Android’s days may be limited. Motorola is expected to function as an independent company and an independent licensee of Android.

IDC Observations

Analysts at IDC (Ramon T. Llamas, Stephen D. Drake, Stacy K. Crook, Tom Mainelli, and Greg Ireland) offered lengthy commentary on Monday. One of the main benefits to this acquisition is Motorola Mobility’s deep patent portfolio. The IDC authors observe: “Google has been the target of numerous patent lawsuits from Apple and Microsoft, two companies at the forefront of Nortel’s patent auction. Motorola Mobility has a long-standing patent history within mobility, which will not only provide protection to Google, but also the ability to challenge other vendors for patent infringement.” All of a sudden teenage Google is able to take advantage of adopted Grandpa’s history (Motorola was founded in 1928), which, according to IDC may allow either delays in pending lawsuits or settlement out of court.

For its part, Motorola Mobility gets cash resources. IDC notes, “How Motorola Mobility will use this money remains to be seen, whether it be for research and development, marketing, or channel distribution enhancement.”

A potential downside to the acquisition, believe the analysts, is the alienation of other Android device vendors - in particular HTC, LG Electronics, and Samsung - because “Android is the cornerstone of their respective strategies.” Especially as Motorola Mobility gains synergy between its and Google’s’ integration of software and hardware in phones and tablets. IDC also warns that if current Android OEMs get “nervous and are not getting the proper partner attention from Google there is a potential for defection as these OEMs seek other partners or acquisitions for the mobile OS.”

With all the talk and speculation of what this acquisition really means the analysts at IDC seem to be taking the news quite calmly. While they recognize the announcement as significant to the mobile industry, “the impact may not be as dramatic as the headlines.” The IDC analysts note in their final word, “Beyond an improved hardware and software integration for both companies, much needed patent protection for Google and more financial stability for Motorola, this announcement does not shake-up the market, but rather provides the opportunity to enhance the Android experience across the ecosystem.”

The Google and Motorola Mobility deal is expected to close by the end of this year or early next.

As mobile devices continue to dominate as a preferred messaging method, businesses are adopting SMS as a way to interact with their customers. Financial institutions, medical offices, and many other types of businesses use SMS for appointment reminders and service alerts. The popularity of mobile devices and SMS is also catching the interest of advertisers and others as they try to find a way to leverage the technology for profit; some of those “others” are producers of spam and malware.

Cloudmark, Inc. is tracking SMS attacks and last month published its 2011 Mobile Spam Guide, which the company describes as “a definitive toolkit designed to help the wider ecosystem address the growing problem of mobile spam”.

In the whitepaper, the company says there are three main categories of attack: spam, fraud and malware, including botnets built through SMS spam messages. The paper walks through each category and also outlines how email spam and SMS spam differ, the rise of SMS spam profitability, and the effects SMS spam is having on a number of stakeholders (consumers, operators, marketers).

The paper also offers steps that subscribers can take to protect themselves. The authors offer the following good advice to pass along to mobile device users:

• Never click on a link or call a number embedded within an unexpected SMS message, even if it looks like it is from a friend. This may download a self-propagating virus on the device that can send itself to all of the user’s contacts.
• Only download mobile applications from reputable app stores. Be aware that the Android Market is not policed by Google in the same way that the Apple Store is monitored by Apple and instances of applications containing malware have been identified on this platform. Juniper Networks recently revealed that the number of Android malware attacks has increased by 400 percent since last summer.
• Never respond to an SMS requesting login details or other personal details, particularly if it claims to be from a bank.
• If an offer in an SMS seems too good to be true, then it probably is. Companies such as Microsoft, Nokia or your network operator do not run free lotteries for subscribers, nor do reputable banks offer cheap loans via SMS advertising.
• Request your Mobile Network Operator to set up content filters on your mobile account so that premium rate texts cannot be charged or adult material displayed.

I’m sure we’ll be hearing more about mobile spam. This spring research firm Infonetics forecasted sales of mobile security software to grow 50 percent a year through 2014, with an expectation of reaching $2 billion. Of course the concept of mobile spam is not new, in the past the threat has been held somewhat at bay because proprietary networks and overall number of handsets made the payload smaller and therefore less attractive to cybercriminals when compared to email. However, these days the mobile market is very mature with growth exploding in the popularity of iPhones, Androids, and BlackBerry’s. A lot more users make for a lot more potential targets.

The 2011 Mobile Spam Guide is available for download.

Google Wallet, the free Android mobile app that turns a phone into a mobile wallet, stores virtual versions of plastic credit cards on a users’ phone. The Google Wallet plan is to launch pilot programs this summer in New York and San Francisco starting with Citi PayPass eligible MasterCards and Google Prepaid Card and then extend Google Wallet to include all major cards found in most wallets today; but is this a technology we want?

Google Wallet relies on near field communication (NFC) technology that enables data transmission between two objects when they are brought within a few inches of each other. Smartphones enabled with NFC technology can exchange data with other NFC enabled devices or read information from smart tags embedded in posters, stickers, and other products. NFC is expected to be used not only for credit cards, but bus passes, in-store credit cards, coupons, insurance cards, and the like.

Earlier this month, I was sent an interesting study that looks at who is ready to start paying for items in-store using their cell phone. Published by Retrevo.com, a consumer electronics review and shopping site that “helps people decide what to buy, when to buy, and where to buy”, the study looks not only Android, but iPhone too.

Retrevo’s new “Pulse” study reports:
- iPhone owners want NFC (mobile wallet) compatibility in their next cell phone (40%) more than Android owners (24%)
- Of people over age 50, 75% were not at all interested in a phone with a mobile wallet
- Men are more interested in a mobile wallet (27%) than women (15%).
- Retrevo asked cell phone owners what company they would trust to provide a mobile wallet:

• 36% Said Google
• 33% Said Apple
• 32% Said Visa, MasterCard or American Express
• 26% Said AT&T, Verizon or their cell phone carrier
• 33% Said none of the above

“The big question of whether or not Apple will put NFC in the rumored iPhone 4S remains unanswered at this point,” says Andrew Eisner, director of community and content for Retrevo.com.

In his article, iPhone Owners Ready For Mobile Wallet, Will Apple Deliver? Eisner reports that according to the study only around 25% of consumers would like to buy things with a mobile wallet and are waiting for that capability to be in their next cell phone.” He goes on to say that, “Unfortunately for mobile wallet providers, the overwhelming majority (79%) of consumers in this study, are either not interested in mobile wallets or don’t know what a mobile wallet is.”

As consumers have become more savvy to the dangers of online shopping and fraud, it appears this new-found awareness is already becoming a hurdle for the mobile wallet concept. Eisner reveals that study participants were concerned about privacy and security commenting, “The Retrevo study found nearly half of those not interested in mobile wallets saying they wouldn’t trust any of the companies that we suggested to provide a mobile wallet and that includes major credit card providers, carriers and other prominent companies.”

The study conducted this month by Retrevo polled over 1,000 people located in the U.S. of various ages, genders and incomes.

If the marketing folks behind the mobile wallet do a great job of selling this ability, Capital One credit card company may have to re-think its slogan: “What’s In Your Wallet” the answer may be…not much.

As I mentioned last week in the article National Internet Safety (and Security?) Month, MAAWG, and Passwords, June is National Internet Safety Month. This week a study was released that examines the online behavior of U.S. parents and their teenage children; this is relevant not only because the data is interesting, but also in context of the blurring between home and work and possible exposure of systems (or files) that go from one location to the other.

The 2011 Parent-Teen Internet Safety Report was published by GFI Software and looks at online behaviors related to content, communications and malware exposure. While the study is from a security company - the net finding is that in most cases kids AND their parents engage in risky online behavior – given the state of the Internet today, it is not surprising that the conclusion is that this type of behavior puts the parents’ employers at risk.

According to GFI, report highlights include:

65% of parents say a virus has infected at least one of their home computers, and 62% of these have been either “somewhat” or “serious” problems.

90% of parents who have work computers at home say they’ve used them for non-work related purposes and 37% of these say they let their teens use them as well. Meanwhile, 47% of teens say they have been infected by a virus while using a computer at home.

34% of teens say they have created online accounts that their parents do not know about.

Only 28% of parents who have antivirus software say they update their virus definitions daily, and 24% are unsure if they are updating these definitions at all.

36% of parents use Web monitoring or Web filtering software to keep tabs on their teens’ activities online and to block inappropriate content.

Now for a few highlights in light of Internet Safety Month that might be worth sharing as a discussion starter with the family:

15% of all teenage girls surveyed have been bullied online or via text message.

31% of teens admit they have communicated something to someone online that they would not have said face-to-face.

31% of teenage boys admit to visiting a Web site intended for adults, and 53% of all teenagers who have done so say they lied about their age to gain access.

Nearly one-third (29%) of teens have been contacted online by a stranger, and 23% of those say they have responded in some way.

“The Parent-Teen Internet Safety Report is a real eye-opener as to how modern computing introduces families to a host of new dangers that reflect our evolving online lives,” comments Alex Eckelberry, general manager of GFI Software’s Security Business Unit. “It is not surprising to see teenagers engage in risky online behavior – just as they will often engage in risky behavior in the physical world. It is surprising, however, to see that parents are often compounding this problem with highly insecure computing practices like letting their children use their work computers, or being lax in updating their virus definitions. As a result, home Internet use is a source of significant risk not only to families but also to employers.”

The full report and a document with the full survey questionnaire and responses are available from GFI Software.

While only half-way through the year, 2011 may be best remembered as the year of spectacular hacking and breaches. The headlines this year are full of well-known brands being attacked. From the RSA Security breach earlier this year, to news that Lockheed Martin had been compromised, to Google admitting that Gmail hackers have targeted U.S. government and military personnel, there is no shortage of news on the subject of hacking.

While Google is pointing an accusing finger at China, which China denies, others are wondering why government personnel have Gmail accounts at all. In a Friday post Sharon Gaudin asks that very question and quotes Brad Shimmin, an analyst with Current Analysis, who says Google has been “pushing hard to get government agencies - all the way from small and local to big, federal organizations - to move to Google Apps.” The article goes on to offer more possible reasons for having the accounts.

But Google, while perhaps the most well-covered, is not alone in its troubles. Hotmail and Yahoo! Mail have also reported being targeted. These phishers are very exacting moving from spear-phishing (the targeting of a specific organization) to possible whaling (the targeting of a particular person). A number of blogs have offered possible reasons behind the attacks – I found Nart Villeneuve with Trend Micro account interesting reading.

Also, don’t miss reading last week’s: How to Stop Your Gmail Account Being Hacked by Graham Cluley, senior technology consultant with Sophos, where he suggests steps to reduce the chances of your Gmail account being hacked:

• Set up two-step verification
• Check if your Gmail messages are being forwarded without your permission
• Where is your Gmail account being accessed from?
• Choose a unique, hard-to-crack password
• Secure your computer
• Why are you using Gmail anyway?

Meanwhile, Lulz Security (or LulzSec) is loud and proud of its recent exploits – which include compromising PBS’s website and posting a story that Tupac Shakur is “alive and well” as well as infiltrating servers at Sony Pictures. The group is also taking credit for replacing the homepage of a FBI partner (InfraGard) with a YouTube joke video and publishing an internal configuration file for one of Nintendo’s U.S. servers.

In the case of InfraGard, according to reports, “The server’s user database was apparently not properly protected. LulzSec published the personal data of 180 InfraGard members and a number of passwords in plain text. They also made 700 MB of emails available as a torrent download.”

Further, the group tested the InfraGard user database and found that many of the passwords were being re-used on other websites making the payload even sweeter.

In the case of Sony, LulzSec compromised millions of user records gaining access to names, passwords, email addresses, birth dates and home addresses. After the multiple attacks, Sony’s brand is reeling amid questions of poor data management.

In the wake of the PBS hack last week, Chester Wisniewski, a senior security advisor at Sophos Canada wrote in a blog last week, “Whether you are related to political causes or not, an easy way to ensure you aren’t the next victim is to make sure that you protect the information you are entrusted with. Data stored insecurely is a bomb waiting to detonate. Security must be a proactive attitude because reacting is simply too dangerous.”

Hear, hear.