The first installment of our two-part series on social media security issues dealt with the key threats and method of attacks. With social media becoming rampant, enterprises needs to pull up their sleeves against
To enable the use of social media and ensure business benefits, an organization can implement social media security policies, technology, and undertake employee education. Stringent social media security policies and guidelines can protect enterprises against embarrassment, security risks, and potential legal action. According to Enterprise Security Survey 2010 – Millennial Mobile Workforce and Data Loss survey by Symantec, only 19% of Indian enterprises have social media security policies, a third of which have blocked access. Let’s now look at the seven essentials for designing a social media security plan:
- Develop a social media security policy: Enterprises can significantly reduce risk by developing a social media security policy that governs the usage of social media by employees and the company as a whole. While designing a social media security strategy, one needs to keep in mind the company’s requirements of using social media for business and also its risk appetite. However, the real value will be achieved only when policies are properly enforced and continuously monitored over time.
- Have a multidimensional, risk-based approach: Social media is just a new vector ― attackers are essentially targeting poorly protected infrastructure and information, weakly enforced policies, and badly managed systems. Besides, there is an ambiguity over ownership and responsibility of information on social networking sites. Hence, an infrastructure-centric approach to secure information may not be enough. The social media security strategy needs to be multi-layered, risk-based, and information-centric with tools and solutions that take into account the unique risks that social media pose.
- Identify safe social networking sites: Not all social networks are created equal when it comes to safety and security. Social media security policies should allow employees to have access only to sites that are safe and trustworthy.
- Enhance enterprise network visibility: Social media security policies should also be set up to monitor, detect, and remediate incidents. Enterprises need visibility into the network to monitor activity on social media to automatically detect and report threats, and take action. This, for instance, may be done by using data loss prevention and web content filtering solutions.
- Classify sensitive data: While defining social media security policies, enterprises need to first identify and locate sensitive data. An example of a policy would be safeguarding the employees from tactics employed by image spammers. Image spamming involves the email recipient unwittingly sending a request to the spammer’s server hosting the image every time he/ she opens spam email, thus divulging his/ her email address.
- Protect endpoints: From the infrastructure perspective, social networking sites are now accessed through multiple endpoints — from laptops and desktops to smart phones. Hence, enterprises should ensure that they have the right endpoint protection solutions for each of these devices. Social media security policies should be defined on the kind of sites that each device is allowed to access.
- Educate employees: It is advisable to inform employees to be conscientious of who is being added and to avoid clicking on links from unfamiliar followers. For example, shortened links can contain traps to malware and infect computer systems, if opened. Educate the employees to use tools that allow them to view the full URL before clicking, as an infected link could harm not just their personal computers but the entire company network. The social media security policy should educate them on what to reveal about the company.
These social media security policies and practices will enable enterprises to establish a strong governance model for social media usage.
About the author: Shantanu Ghosh is the vice president for India product operations at Symantec Corporation. He has been instrumental in building a significant R&D footprint for Symantec enterprise security products in Pune.
(As told to Dhwani Pandya)
This was first published in January 2011