The explosive growth in social networking has positioned many security teams solidly between a rock and a hard place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other organizations innovative use of new business tools.
According to a recent Websense Inc. survey, the decision has already been made by the business units with 86% of IT respondents reporting pressure to allow more social networking in the business. The message resonates loud and clear to security: Resistance to advances in technology is futile; find secure ways that business can move forward.
Social networking threats:
Firms show DLP interest to monitor social networking traffic, survey finds: Organizations are worried about increased use of blogs, wikis and other social media websites, but budget limitations may be holding back investments in DLP.
IT managers under pressure to weaken Web security policy: A new survey suggests senior and mid-level executives want to expand use of social networking platforms, cloud-based collaboration tools and other applications.
More and more data is hosted outside of corporate data centers, with that data being accessed by end users via Internet protocols from within office buildings, personal computers at home, or anywhere/anytime mobile devices such as Apple iPhones. Enterprises are increasing investments in the use of social networking websites as a cost effective means of collaborating with prospects, customers, employees and partners. Facebook is hardly the sanctuary for the latest generation, as demographically its user base consists of professionals between ages 25 and 35. There is also the 1382% year-over-year growth rate in Twitter and the reported 152 million users watching 16.8 billion online videos on social networks that security has to contend with. Social networking is already ubiquitous and it is silly for IT to take a negative stand against these strong trends. But Twitter risks and Facebook threats are real. The best approach for security is to work with the business organizations to help make use of social websites as safe as possible while acknowledging that there are risks involved.
Educate employees and business partners on social networking risks. Web security training is a must. In many ways, the use of social websites follows the same common sense rules as using the telephone, showing business documents, or other settings that occur outside the confines of the office building. Security should be conducting regular communications on responsible handling of confidential data, the dangers of following suspicious links on social websites and make resources available if they have any questions or need help with recovery from a security incident. Employees should also know that in highly regulated industries, such as finance with stringent auditing requirements, violations of acceptable behavior policies may result in termination.
Allocate a percentage of security time to audit social networking sites for the presence of confidential information. The business does not need to be surprised by confidential data residing in public locations or fail to understand which social websites are the leading sources of malware. Reinforce the education program by actively searching for confidential data on pages of social websites, blog postings and comments, and monitoring security services for websites with unacceptable reputations. It is far better for security teams to spend time on prevention, than it is to spend time cleaning up a problem.
Introduce technology when appropriate. The business will be competing via social networks long before refined security tools are available. Eventually, security features will become available that can help the organization use social websites without unduly increasing the risk of data loss or exposure to malware. For instance, Facebook Publisher now allows the user more granular control over content sharing, which may help companies use Facebook with restrictions on who is authorized to view the content, which is a fair trade-off for business users. Bandwidth management products can be useful in throttling back video and audio streams to preserve network bandwidth for priority business applications without IT having to deny access to users.
Security needs to have procedures in place for protecting the company as users gravitate towards new applications or cool personal devices. For most, those procedures start with Web security training on risks and acceptable behavior followed by audits of education and finally technology assistance once security and administration requirements become understood. Security cannot slow down the Twitter phenomenon, but it can act before an insider tweets to tout the company stock.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.