Exploitation of trust is one of the most critical social media risks, as far as India is concerned. Motivated adversaries are compromising social media accounts and then sending malware and viruses to trusted connections (such as those made through sites like Orkut, Facebook and Bharatstudent), as a way to have a higher likelihood of success in delivery of their malicious code. Individuals are more likely to accept programs, code and videos from people in their social networks than from random Websites. Here are some key social media governance measures through which enterprises can build a security strategy to address such risks.
1. Risk assessment: Since enterprise use of social media tools usually don't require implementation of additional technology, an enterprise social media presence does not always begin with a project plan and risk assessment. It's therefore important that the enterprise has a plan to address the risks that accompany this technology. Risks that enterprises needs to consider as part of social media governance are:
- Using social media as business tool to communicate with customers.
- Employee access to social media sites while on the corporate network.
- Use of social media tools from corporate issued mobile devices.
- Vulnerabilities such as insecure applications may exist on an employee's personal social media page. Those vulnerabilities may cause unacceptable exposure on a corporate network.
2. Develop user policy: The organization's information security policy should include acceptable use clauses that inform users of their responsibilities for protection of corporate information and policies. Ensure that this policy addresses both business and personal use of social media in the workplace. Policies for social media governance should address three specific areas: employee personal use of social media in the workplace, employee personal use of social media outside the workplace, and employee use of media for business purposes (personally owned devices).
3. Conduct awareness training: The key to success in social media governance is education and monitoring. CISO should follow the mantra of "embrace, but educate" as part of their social media governance strategies. It is important for CISOs to recognize that the concept and associated technologies of social media make it a powerful business tool that can be used effectively to enhance business capabilities. CISOs should focus their attention on educating individuals and the organization on risks related to social media and how best to mitigate them, while still using these capabilities.
4. Establish an official social media presence: A corporate blog, Twitter profile, or LinkedIn group can be used to ensure that your organization's voice is represented in relevant conversations.
5. Monitor social media sites: The use of social media also introduces a new communication channel that must be monitored and managed. The company can also have dedicated resources to monitor social sites that mention organization related information.
6. Technology: Malicious email, social engineering and phishing attacks are some of the key technical risks posed by social media. The enterprise's IT department needs to have controls in place for social media governance (both network- and host-based), to mitigate the risks presented by malware. Suitable controls can include download restrictions, browser settings, data leak prevention products, content monitoring and filtering, as well as antivirus and antimalware applications.
Note: These tips are based on ISACA's recently launched white paper titled "Social Media: Business Benefits and Security, Governance and Assurance Perspectives".
This was first published in July 2010