Just how risky is social network usage for the enterprise? And how can you strike the right balance between a happy workforce and a secure, effective system?
Social networking in the enterprise has implications beyond the trade-off between happiness and distraction in the workforce.
Hard to control and difficult to characterise, it represents a unique vector into the heart of organisations that must be understood to be made safe.
When policy-based contextual security vendor Clearswift surveyed global attitudes towards social media within the enterprise last year, it revealed that 19 percent of companies routinely blocked access to social-networking sites and 48 percent of managers considered social media usage as being of concern.
In the UK, the exact same proportion (48 percent) of enterprises thought that the benefits of social networking outweighed the potential security risks.
This social/anti-social dilemma is set to continue alongside the consumerisation of workplace IT, with Bring Your Own Device (BYOD) being the buzzword of the day. One of the biggest problems is the security disconnect between management and employees; 50 percent of managers believe that staff are oblivious to the security concerns of social networking, but only 21 percent of employees admit they don't think about social media security issues at all. So where does the truth actually sit?
The real risks of social media
Education is key: management needs perspective on the real risks of social media use within the enterprise, while employees need to ensure that those risks are understood and controlled by acceptable behaviour.
In fact, the risks of staff engagement with social media are little different to those of using the cloud — or even, when it comes down to it, CRM tools. Access, Data Loss Prevention (DLP) and compliance will apply to most enterprise situations for all of them.
If you consider security as the driver, regardless of the platform, and apply the same basic best-practice principles of data protection to social network usage as you would anything else, then you and your business should be OK. Apart from, quite possibly, the regulatory compliance angle. This will depend upon your industry sector, but posting to Facebook could easily fall into non-compliance territory if sensitive corporate data is exposed to the public internet in this manner.
Blanket bans are rarely a good idea, and in the case of access to social media at work could prove to be disastrous from a productivity angle — report after report reveals employee demotivation when access to social networks is removed.
The BYOD equation
More important is the security angle itself. With the increase in BYOD apparent everywhere, employees will quickly find ways to circumvent any filter and side-step security measures in the process. Social networking via BYOD is becoming an increasing problem in the enterprise.
Many companies take steps to authorise these devices to connect via Wi-Fi and provide protection to the greater network beyond as with any other device. But too often, no thought is given to when BYOD becomes TYOD, or Take Your Own Device. Take it outside the reach of the enterprise network and a seamless switch to 3G connectivity cuts in, creating a potential vulnerability should some zero-day-exploiting malware piggy-back on the mobile platform into your network if accessed outside of the Wi-Fi zone.
Report after report reveals employee demotivation when access to social networks is removed.
Email used to be the main tool for the phisher, and the main tool for spreading malware in all its forms. That's rapidly changing, and social networks are fast becoming a preferred option for the criminal fraternity. Social networks are ideal ground to gather the kind of insider information required to validate a spear-phishing attack, and the trust factor can easily be leveraged to add further opportunity for a successful strike.
The clue is in the name: social networking. We socialise with those circles of people we trust, our Facebook friends, LinkedIn contacts and the like. However, if just one of those friends succumbs to an account compromise then the entire circle is at risk. Those employees who understand the risks of social media are less likely to click on random links, but if a trusted friend or work colleague says 'check this link out' all bets are off.
Account hacking is not just a risk from the circle-of-friends angle, it's a very real risk to your employees as well. Poor password management together with unencrypted connections (often away from the office environment) are a dangerous mix that can lead to account hijack and the potential for serious reputational damage. Facebook mitigates this by employing an optional anti-hijack tool that will notify the user by email should an account be accessed using a new device.
Hybrid attacks
More recently, there has been an increase in hybrid attacks that employ both email and social media elements. For example, among the most prevalent brands leveraged for malware distribution, as revealed by the GFI Labs ThreatNet Detection System, is LinkedIn — the social-networking platform of choice for the business world.
Interestingly, it wasn't the social network itself that was used by the cybercriminal fraternity, according to the report — which looked at instances of malware during March — but instead the behaviour of its users. Emails that appeared to have been sent by LinkedIn, which included fabricated invitation update reminders, were used to redirect anyone clicking the links to a black-hole exploit that installed a well-known banking Trojan.
Employee behaviour, then, is likely to be the most problematical of the potential security risks posed by social media. The almost generic casual attitude towards using social media — and the clue is in the name, after all — transfers from the personal into the corporate and brings with it all kinds of associated risk.
When interaction is trimmed down to a knee-jerk reaction, be it in terms of accepting friendship requests or the clicking of links shared by existing contacts, it isn't difficult to see how such behavioural patterns can negatively impact upon enterprise security principles.
Three steps to social media security
To make social networking within the enterprise more secure, you must apply three components: education, policy and enforcement:
Educate all staff, including management, in the risks of social networking.
Back this up with a formal acceptable-use policy (AUP), which updates any existing business communications guidelines to include specific social media usage policy.
Enforce this with content management controls and network protection technology such as malware and URL filtering at the gateway. Next-generation firewalls will classify and protect application traffic, detecting threats from social media usage.
