The increasing use of social media at many enterprises has CISOs on guard, but a new report urges security professionals to take measured steps to reduce social media risks, rather than outright ban employees from visiting social websites.
Results of a recent survey conducted by Cambridge, Mass.-based Forrester Research Inc. indicated that the adoption of social media in enterprises has doubled in the past year from 11% in 2008 to 22% in 2009, said Khalid Kark, vice president and principal analyst at Forrester. Kark predicted that the numbers will continue to climb.
"There is adoption of social media going on, and it is getting slightly more acceptable to use some of the social media sites at work," Kark said. "The rate of this change is very significant. We're not talking about a 5% or 20% increase; we're talking about this total doubling in one year."
The Forrester report, "Twelve Recommendations For Your 2010 Information Security Strategy," explains how taking a careful and measured approach toward planning an information security strategy in 2010 could help address skyrocketing social networking use and insulate enterprises against the threats they pose.
Tony Spinelli, chief security officer at Atlanta-based credit information firm Equifax Inc., leads a social media committee consisting of the company's sales, marketing, IT and security staff. Spinelli said the company has taken a holistic approach by dealing with social media in an open forum. The goal has been to use social media as a tool to connect with customers and at the same time protect against data leakage.
"We've tried to be balanced and put safeguards in place to ensure data protection when employees are visiting social media sites," Spinelli said.
Addressing social media risks:
Firms show DLP interest to monitor social networking traffic, survey finds: Organizations are worried about increased use of blogs, wikis and other social media websites, but budget limitations may be holding back investments in DLP.
Social engineering training could disrupt botnet growth: Security pros should address social engineering attacks with end users, helping them identify the tactic and possibly have an impact on botnet viability.
Data has become too distributed to secure, Forrester says: A Forrester Security Forum will address ways security pros can relax security policy and focus on mitigating the risks associated with employee use of Web-based tools and services.
The expanded use of social media within organizations may be causing some CISOs to rethink the way they protect sensitive data, including intellectual property. Kark said he talked to one CISO who likened the increase of social media usage to a "freight train coming, and we have to figure out what our defenses are going to be, or else we're going to be crushed."
That line of thinking doesn't bode well at organizations like Equifax, where company marketing teams are finding success targeting specific users on social networking sites. If there is a business use, CISOs must rethink how to deploy defenses to mitigate the increased risk while addressing the needs of the sales and marketing teams.
"If you allow social media in your environment without any defenses or controls, than yes, that is going to increase your risk," Kark said. "There's a fine balance at play here."
A change in data ownership
Kark breaks down his recommendations into three subsets: change in technology, change in business expectations, and change in (security data) ownership. IT teams can no longer say they "own" data, especially with the increased use of outsourcing operations to third parties, Kark said. He added that security operations are also being outsourced and organizations need to set expectations to ensure data is being properly protected.
"If you rely on the outsourcer to build your security," Kark said, "they're going to do the bare minimum, because they're there to make money."
Kark said that security professionals need to take a more proactive approach and roll with the rapid pace of technology changes. Involving employees in security decisions, as Equifax has, can help reduce risks. A security-savvy employee can often detect a threat before most security systems, Kark added, so organizations should utilize humans as their first line of defense, devise a security strategy that best suits their needs, and embrace new technologies that can provide a secure work environment.
"Security needs to adjust to the realities of the business and when they do there are three core areas that you need to focus on in terms of protecting: the people, the process, the technology," Kark said.
It has taken CISOs time to wake up to address the rising use of social media in the workplace, said security expert Lenny Zeltser, who leads the consultant practice at Savvis and is a faculty member at the SANS Institute. Zeltser said that at first CISOs were in the "denial stage" when faced with the security risks social media sites posed, but more CISOs have made it to the "acceptance stage."
"I would like to see more open access within organizations," Zeltser said, "but this can only happen if companies invest in proper monitoring tools, and train their employees in how to properly use them."