With the explosion of social networking, interaction and collaboration, email has lost its position as the primary Internet-based
communication tool. In fact, in a related literature that I’ve recently read, it reported that there were more social networking accounts than Webmail accounts in 2009.
Today, users rely more on blogs, tweets, social networking posts and even video clip communications to enrich both personal and professional information exchange. Even businesses are leveraging social networking to communicate with customers, employees and partners.
While these sites and services offer tremendous business benefits, they also present serious risks that have to be managed. For instance,they are often the target of malicious attacks due to their popularity. Video sites like YouTube consume tremendous amounts of bandwidth if they are not properly managed on the corporate network. And employees may intentionally or accidentally leak sensitive company data onto a social networking site, breaches that can result in lost competitive information, public relations headaches, fines, legal action and more.
The good news is, with the right security approach, these consequences can be successfully avoided.
In addition to addressing technology gaps, you also have to educate users about social networking security problems that stem from simple human error. And while the end user will likely remain the number one security risk for any organization, dramatic results can be achieved with just general security training.
Education should begin with the basics, but can be placed in the context of social networking to make them fresh and interesting.
For example, good login and password practices are a common problem within social networking. Routinely changing login credentials and protecting the confidentiality of passwords are basic security requirements – or should be. While this may sound like common sense, there was this recent fiasco may have been caused by one scientist who actually included his password in his email signature. So even highly educated users need to be reminded about basic security measures. Cybercriminals also know that many users use the same login ID and password on multiple sites, which enables attackers to easily gain access to social networking accounts. In one instance, many Twitter accounts were hacked when users were tricked into creating an account on a fake torrent site.
Other examples that are much less dramatic, but occur much more frequently, take place when users try to share something to a select group in an appropriate way, but do not realize that the way they shared it made it available to a broader group. Some applications may be popular enough to reasonably provide in-depth application training for users. A great example of an easily avoidable issue
recently occurred when over 100 million Facebook pages were compromised simply because most users did not understand some of the security settings available.
It may be worthwhile to start surveying users to identify their needs, applications of choice and perhaps even their own list of concerns. Then prepare a plan to ensure users are aware of how to use those applications safely.
Also, users need to be reminded that there are no safe zones on the web – including social networking sites. Assume that everything revealed on a social networking site will be visible on the Internet forever. Once it has been searched, indexed and cached, it may later turn up online no matter what steps are taken to delete it.
Finally, most users are no different than IT – no one reads the manual. So many users won’t really understand security guidelines until they violate them once or twice. “Coaching screens” are informational pop-ups or browser redirects that would appear at the instant a violation occurs to inform the user they have violated a policy, someone else knows about it, and explains how to prevent it from happening again. From a product standpoint, IT should look for solutions that not only provide security, but can also support education efforts.
Conclusion
Social networking has achieved a level of popularity that requires reasonable access at work, but it is also sufficiently mature to bring value to many businesses. But safe social networking requires an aggressive and layered security strategy at the web gateway, as well as the definition of new usage policies and priorities from management and IT. Better end-user education will also be required to ensure workers use social networking applications safely and appropriately.
The combination of layered security and education can help organizations dramatically reduce the risks from malware, phishing, data loss and bandwidth abuse.
Why is all this necessary? Cybercriminals are taking advantage of social networking’s fundamental model of familiarity, trust, sharing and open communications to dupe users and steal valuable data.”
To close these security gaps, IT and business leaders must ensure they have the right security strategies in place to identify and protect against the rapid evolution of social networking threats.