COLUMN

Twitter risks, Facebook threats trouble security pros

By Eric Ogren 01 Jul 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The explosive growth in social networking has positioned many security teams solidly between a rock and a hard place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other organizations innovative use of new business tools.

According to a recent Websense Inc. survey, the decision has already been made by the business units with 86% of IT respondents reporting pressure to allow more social networking in the business. The message resonates loud and clear to security: Resistance to advances in technology is futile; find secure ways that business can move forward.

Social networking threats: How to implement and enforce a social networking security policy: For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity. Firms show DLP interest to monitor social networking traffic, survey finds: Organizations are worried about increased use of blogs, wikis and other social media websites, but budget limitations may be holding back investments in DLP. IT managers under pressure to weaken Web security policy: A new survey suggests senior and mid-level executives want to expand use of social networking platforms, cloud-based collaboration tools and other applications.

More and more data is hosted outside of corporate data centers, with that data being accessed by end users via Internet protocols from within office buildings, personal computers at home, or anywhere/anytime mobile devices such as Apple iPhones. Enterprises are increasing investments in the use of social networking websites as a cost effective means of collaborating with prospects, customers, employees and partners. Facebook is hardly the sanctuary for the latest generation, as demographically its user base consists of professionals between ages 25 and 35. There is also the 1382% year-over-year growth rate in Twitter and the reported 152 million users watching 16.8 billion online videos on social networks that security has to contend with. Social networking is already ubiquitous and it is silly for IT to take a negative stand against these strong trends. But Twitter risks and Facebook threats are real. The best approach for security is to work with the business organizations to help make use of social websites as safe as possible while acknowledging that there are risks involved.

Educate employees and business partners on social networking risks. Web security training is a must. In many ways, the use of social websites follows the same common sense rules as using the telephone, showing business documents, or other settings that occur outside the confines of the office building. Security should be conducting regular communications on responsible handling of confidential data, the dangers of following suspicious links on social websites and make resources available if they have any questions or need help with recovery from a security incident. Employees should also know that in highly regulated industries, such as finance with stringent auditing requirements, violations of acceptable behavior policies may result in termination.

Allocate a percentage of security time to audit social networking sites for the presence of confidential information. The business does not need to be surprised by confidential data residing in public locations or fail to understand which social websites are the leading sources of malware. Reinforce the education program by actively searching for confidential data on pages of social websites, blog postings and comments, and monitoring security services for websites with unacceptable reputations. It is far better for security teams to spend time on prevention, than it is to spend time cleaning up a problem.

SearchSecurity radio:

Introduce technology when appropriate. The business will be competing via social networks long before refined security tools are available. Eventually, security features will become available that can help the organization use social websites without unduly increasing the risk of data loss or exposure to malware. For instance, Facebook Publisher now allows the user more granular control over content sharing, which may help companies use Facebook with restrictions on who is authorized to view the content, which is a fair trade-off for business users. Bandwidth management products can be useful in throttling back video and audio streams to preserve network bandwidth for priority business applications without IT having to deny access to users.

Security needs to have procedures in place for protecting the company as users gravitate towards new applications or cool personal devices. For most, those procedures start with Web security training on risks and acceptable behavior followed by audits of education and finally technology assistance once security and administration requirements become understood. Security cannot slow down the Twitter phenomenon, but it can act before an insider tweets to tout the company stock.

Tags: Web Application and Web 2.0 Threats,  Information Security Policies, Procedures and Guidelines,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Massive phishing scheme affects Microsoft Hotmail accounts Phishing websites, rogue antivirus skyrocket in 2009 An enterprise strategy for Web application security threats Information Security Policies, Procedures and Guidelines Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary