Messaging Newswire
Follow Us on Twitter
Facebook Page
RSS feeds
Widgets
Social Media in the Enterprise: Approach with Caution
Widgets & RSS FeedsSocial technology adoption has reached such critical mass that organizations need to create a social media strategy. According to the Pew Internet & American Life Project’s December 2008 tracking survey, “the share of adult Internet users who have a profile on an online social network site has more than quadrupled in the past four years—from 8 percent in 2005 to 35 percent now. Since 2003 MySpace has acquired 250 million registered users, a year later Facebook came along and now has more than 200 million users. What began as social networking, a tool for connecting people, has quickly given way to social media, which has been defined as an outlet for publishing; both were made possible by Web 2.0. With numbers like these, it is not surprising that corporations are concerned about employees spending corporate resources on social media and networking, or “social notworking” as the phrase goes to describe the practice of spending time unproductively on social networking Web sites when at work.
The Pew surveys reveal that adults tend to use social networking for personal reasons over professional. LinkedIn, an online social network dedicated to professional networking, had a 6 percent use, while 72 percent cited use of social networks, like MySpace and Facebook, which are used for both professional and personal networking purposes.
Corporate Perceptions
With the skyrocketing adoption of social technology, how are organizations responding? According to an informal online poll conducted by Sophos Research earlier this year, one-third of the organizations when asked considered productivity issues to be the major reason for controlling employee access to social networking sites. But this perception might be shifting.
“Historically, social media has been seen as a productivity issue,” agrees Michael Sutton, vice president of security research for Zscaler. “You didn’t want employees using Twitter, MySpace, or Facebook at work, but companies have definitely changed their opinion. They are now leveraging it as a business tool.” Sutton offers the example of companies that are using Twitter as part of technical support, and HR conducting background checks. “I don’t know a technology company that doesn’t have a marketing person with a Twitter account. It has become the cool thing to do,” he adds.
As social media is taking off, many organizations are trying to figure out how to use the technology to the benefit of corporate goals and objectives. “At the very beginning, several years ago when people started to latch on to social networking, before Facebook it was Friendster and others, the usual response was to just block access,” recalls Jamz Yaneza, threat research manager at Trend Micro. “At the time, this was generally a good strategy.” However, he notes the upside of social networking is that it is easy to reach out to customers and others. “Today you can see where social networking is becoming part and parcel of what you are doing in a business environment. Blocking isn’t really an option anymore.”
What’s the Worry About?
Even when looked upon as a business tool, corporations still need to manage the traffic to social sites. “Companies need to get to a point where they are not just blocking or allowing access, but are managing employee behavior,” recommends Sutton. “We can’t just block access to Facebook, because there is a legitimate need to access it.”
Identity Theft 911, an identity theft resolution and education services provider, in its newsletter said: “With more than 200 million users, Facebook is the most popular of the social networking services. Nielsen reports that the number of minutes users spent on the site increased 700 percent between April 2008 and April 2009. Facebook says that the number of users impacted by security issues on the site is less than 1 percent.” Unfortunately, that one percent translates to potentially 2 million people.
Sophos experts note that with the rise of social networking an unprecedented amount of information is updated every minute, citing: “Frequent use of social networking sites makes them a prime target for cybercriminals intent on stealing identities, spreading malware or bombarding users with spam.” The Sophos poll revealed that “63 percent of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure and the sensitive data stored on it at risk. The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.”
Understanding what information an employee is sharing is growing in its importance. “What can you lose with unprotected use of social media in the enterprise? I would say: Everything,” responds Yaneza. “Although that sounds really ominous. Employers need to be aware of the amount of data that is flowing out of their networks. In terms of company end-users: What are they blogging about, what are they Tweeting about, even if it is something mundane like: ‘I am working on a new product’ and later mention what the product is or describe it. Even if it is very brief, when you put all those together, you can actually data mine the information. It is scary, because it can result in a loss of proprietary information. There can be a lot of data leakage by unprotected use of social media.”
Some of the threats are less serious than data leakage, but are nonetheless annoying. In his blog, Graham Cluley, senior technology consultant at Sophos recently wrote about spam he received on Twitter, “The spammers are putting their messages into the image because they know that’s harder for Twitter to identify than if their adverts were presented in plaintext in a regular tweet. This is comparable to a trick we’ve seen email spammers use for some years.” In fact many of the messaging threats common to email are now present on social networking and media and can be just as nefarious. “We’re seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends’ compromised accounts,” says Cluley. “Although social networking sites are going some way to mitigate threats to users—activating pop-up windows to confirm if a user really wants to visit that external link for example—unfortunately it’s just not enough. Organizations need to incorporate defenses into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts, which could provide an entry point to the IT infrastructure.”
Another messaging foe, the worm, has also made its way to social sites. “Worms in their traditional sense would hop from machine to machine. Now we are starting to see Web-based worms that stay within the ecosystem of the social network and it hops from profile to profile,” observes Sutton. “The limitation of a Web-based worm is that it cannot break out of the ecosystem, so it can only live on Twitter, or MySpace or Facebook or whatever. But when that ecosystem has millions of users, that isn’t much of a limitation. We are seeing more and more of it.”
Since social networks are built on top of Web 2.0, the threats are similar to other Web threats. “In terms of technical exploits on social sites, it’s still things like cross site scripting, and stealing of cookies,” Yaneza explains. “The malware is Web-based, it doesn’t even matter so much what your operating systems is, as much as what your browser is. When you surf the malware even checks what kind of browser version you have, what patch level you have, so it can target the operating system you have. There are so many avenues.”
Adds Sutton, “Social networks have really evolved what we think of when we think in terms of the Web. A decade ago we talked about Web sites and that was an appropriate term. The content was static, it was almost like an electronic billboard. We did not see a lot of Web attacks because there was no dynamic content; there was no way to manipulate the content.” Today, Sutton says, there is nothing preventing someone from uploading a virus and saying it is a picture or a video. Unsuspecting users download it, and end up with an infected computer. “To some degree the social networks are trying to monitor, running antivirus against things,” he acknowledges, “But you should not rely on Facebook or whoever, to protect you from virus in the enterprise. Because there is so much user supplied content, it becomes that much more important that you treat it all as untrusted. Organizations need solutions in place to inspect content.”
Social Engineering Attacks
That user supplied content, while making social networking and media sites unique, also add to the threat of phishing and fraud. Sutton points out, “The content within social networks can be a gold mine for an attacker that is looking to initiate a social engineering attack. With a social engineering attack, I am not taking advantage of a technical flaw in your Web browser or anything like that, I am just trying to trick you into doing something. The more information I have about you, the better off I am in being able to do that.” Sutton goes on to say that social networking sites are uniquely suited because so much information can be found about an individual. “I can find out who your friends are, what company you work for, who your relatives are, things like that. We do silly things in security like re-set a password with a mother’s maiden name. Well, if your mother is a friend of yours on Facebook, it may not be hard to get that information. People need to be much more conscious of the data they are sharing.” While some might argue that information is protected, Sutton warns, “I don’t care if it is Facebook where you have to friend someone first. Do you really know if your friending a person? It could be someone impersonating a person. The guidance I give people is don’t put anything on a social network that you would not post on Times Square, because it is equally as public.”
Looking Ahead
The popularity of social networking is having an impact on other technologies. For example, Synchronica, a provider of mobile email and synchronization solutions, identified the growing trend and added new functionality to its Mobile Gateway product to automatically push social networking and news updates from Twitter, Flickr and ESPN to any mass-market mobile phone. In what Carsten Brinkschulte, CEO of Synchronica, calls “mobile social messaging” the product allows users to tap into the social messaging that is happening within social networks and make those social messages available on mobile phones. “We are trying to enable mobile access to the social messaging part of social networking. What we are doing is marrying mobile email with social networking,” says Brinkschulte, “It doesn’t matter if someone is sending me an email or Facebook message. I just want to get that message and respond to it without having to log in, it just comes to my handset.”
Also cropping up is litigation around activities occurring on social sites. The Minnesota Court of Appeals recently addressed an important question about disclosure of personal information on social networking sites when the court ruled that HIPAA (Health Insurance Portability and Accountability Act) does not preempt contradictory state laws allowing patients to sue for wrongful disclosure of patient records. The case is about a woman who visited a clinic in Apple Valley, MN, to get tested for sexually transmitted diseases when she took on a new sexual partner, while estranged from her husband. She had her electronic records posted on MySpace by a relative of the husband who worked at the clinic. The patient sued under state law, but a trial court threw out the case on the grounds that HIPAA prohibits private lawsuits for violating federal privacy rules. With the appeal overturning that original ruling, the case can be tried. “In today’s Internet age, it has become much easier for sensitive information to be disclosed on the Internet through social networking sites,” says John Delaney, technology transactions group co-chair for Morrison & Foerster, one of the country’s leading privacy practices representing global companies on data breach and privacy compliance. “This case is a reminder of the growing body of privacy-related laws and regulations, and the need for caution in collecting, storing and disclosing sensitive personal information, such as medical records.”
Setting Policies
The seen and unforeseen impact of social technology adoption requires organizations to put policies in place around the use of social media within the corporate network. “For instance, you may want to permit someone to view content on Facebook, but not upload content, if you are worried about data leakage,” offers Sutton. “Or perhaps it is okay to upload, but only during certain hours, and use only so much bandwidth.” He stresses again that organizations now must move to managing behavior, not just specifically access.
Yaneza recommends organizations take a step back and study what employees are doing in terms of social networking. “Is it something that your company does as a requirement to specifically do business? If so, then your policies may be different from a company that only allows employees to surf during lunchtime. Today, draconian blocking is not going to work because the other threat, aside from all the desktops, is that people have smartphones.” Yaneza advises organizations to have policies for the gadgets that people bring into the office and that go home. He also says policies need to extend to include what can and cannot be said in a social network. “Individuals need to be made aware of the threats and the repercussions of not adhering to the policy,” he adds. “I know in some companies, and not even in a social environment, if you leak out certain data you can be taken to court. When its done on a social networking site, it is much more public than if you share something with just an individual.”
Sophos experts predict that users will continue to share information inappropriately, putting their identities and potentially the organization they work for at risk. “The danger is that by completely denying staff access to their favorite social networking site, organizations will drive their employees to find a way round the ban and this could potentially open up even greater holes in corporate defenses,” cautions Cluley.
For Brinkschulte, social networking threats are worth the risk. “We take the view of being an enabler of communication, because we think the upside of mobile communication and mobile communication within the context of social networking is much higher than to worry about what could go wrong or where the potential security threats are,” he states. “I have always taken the view that corporate security is very often over done, trying to prevent things from happening, trying to protect the company against security leaks, but in reality the biggest security threats in any organization is the human, not necessarily the technology that is being used. I think the biggest security leaks for example are people putting things on a memory stick or CD from their work systems and taking them home.”
Regardless of how an organization approaches securing social networking, one thing is sure: social networking and media sites are here to stay. According to Brinkschulte, the trend is extending across the globe. “Social networking is by no means a phenomenon limited to the West. The use of social networking within emerging markets is exploding; comScore reports that the greatest year-on-year growth of social networking subscriptions comes from the Middle East and Africa (66 percent) and Latin America (33 percent).”
Understanding how employees use social technology with corporate resources is a solid step towards managing the threats those sites may hold and building acceptable use policies. “My overall message, whether you are talking to an individual or to a corporation, is that you certainly should not fear social networking,” concludes Sutton. “Put yourself in a position where you are not limited to a binary decision of employees can or cannot access. You can’t rely on a patched browser and educated users to be safe. It is not enough. Make sure people can access if they need to. Make sure you are managing their behavior on that site. Decide what functionality they can have. Treat anything that is coming in as untrusted and monitor anything going out for confidentiality. Social networking is not going away. It is very powerful, and can be a very effective tool for an organization. But manage the behavior on those sites.”
Featured Video
Messaging News Twitter Stream
- Social Media Grows Up: Connecting Email and Social Marketing http://goo.gl/fb/zW9rm
- Email Marketers Active in Social Marketing, Many Primed to Implement These Emerging Best Practices http://goo.gl/fb/UL1Xt
- Email Marketing Success Moves Beyond Click-Throughs http://goo.gl/fb/sHBFm
- Web Monitoring: Can Businesses Afford Not To? http://goo.gl/fb/sm80z
- The Summer 2010 issue of the McAfee Security Journal is out. "Security Takes the Offensive." http://bit.ly/cTnJBD
