Introduction
The growth of web-based social media applications such as Facebook, Twitter and LinkedIn presents a set of unique challenges to organisations, both with respect to the individual users and also the possibility of breaching corporate information security principles. Addressing these risks is an important objective of an Information Security Management System, and should be given proper consideration during formal risk assessment activities.It is known that law enforcement and public authorities are already using social media applications to seek out information on individuals, as are insurance companies and other investigative organisations. There’s also current and future employers who will be taking an interest in social media activities, and perhaps most sinister of all are those who have illegal intentions such as identify theft, stalking, harassment and corporate fraud.
Social Media Applications and the Individual
Recently described as “one
of the fastest growing industries in the world”, identity theft has been
defined by the Identity Theft Resource Centre as encompassing five distinct activities:
- Business or commercial identity theft (e.g. for obtaining a line of credit)
- Criminal identity theft (e.g. providing a false identity when apprehended for crimes)
- Financial identity theft (e.g. using another’s identity to obtain credit, goods or services)
- Identity cloning (e.g. using another’s information to replicate and live their daily lives)
- Medical identity theft (e.g. using another’s identity to obtain treatment or medication)
Social media applications
promote the sharing of information, and can provide most or all of the
information which allow for all of the above activities to take place, if they
are not configured and used correctly. Some examples include:
- Disclosure of date and place of birth: frequently displayed on Facebook profiles, without proper consideration for how these could be misused by others
- Mother's maiden name: used universally as a piece of authentication information - can this be worked out from social media content?
- Holiday plans: not only advertises when property will be empty, but allows identity thieves an attack window when they know the users are unlikely to be checking their accounts
- Use of location services: many social media applications allow users to communicate their precise geographic location, again allowing attack windows
- Unrestricted photographic content: from security arrangements of an office to vehicle registration numbers. Very useful in the wrong hands.
Educating Social Media Users
Most social media applications already offer reasonable levels of protection for user's personal information, but users need to understand what these are and how to set and maintain these controls effectively. Using Facebook, as an example, users are routinely offered four
levels of privacy:
- Friends only - a sensible option, sharing content and photos only with known friends (although it doesn't restrict how friends might then onwardly share that information)
- Friends of Friends - whilst users will have a reasonable degree of comfort within their friends network, how well do they know the friends of their friends?
- Everyone - the global setting which offers no privacy or security. Using this privacy option provides no protection - anyone with a Facebook account will see this content
- Customise - allows for the individual configuration of content, although is most time consuming to implement. Allows users to limit content down to one person, if need be
Other social media platforms provide a similar range of privacy options, and a program of user awareness and privacy training is a wise investment to ensure that they are used properly.
Social Media Applications and the Employer
Whilst many of the above
observations expose vulnerabilities to the individual users of social media
applications, some of these users will also be trusted employees of an
organisation. An emerging and worrying trend is for individual identities to be
compromised, with the associated increased threat of corporate identity fraud using this illegally gained information. This is most serious if the compromised
individual is a key member of an organisation perhaps with responsibility
for legal or financial matters, where in the worst cases the legal status of
the company could be changed, financial records amended or disclosed, or
financial funds diverted to unauthorised accounts.
As part of an effective
Information Security Management System, organisations should establish,
implement and communicate their position on and the agreed acceptable use of
social media applications. This document should clearly explain, as a minimum:
- the objectives of the Policy: protecting the company, its information and its employees
- position on using social media applications: from a complete ban to authorised purposes
- communicating an acceptable code of conduct - what should and should not be posted
- communication of known risks - including specific risks about using mobile devices
- managing passwords - keeping social media passwords separate (and different)
- details of monitoring activities that are to be undertaken to measure policy compliance
A balanced, considered view is necessary. A total ban of social media is difficult to enforce, and can lead to the organisation missing out on the positive aspects of using social media:
- raise awareness of the organisation's existence and its activities
- promote and advertise new products and services
- allow great flexibility for communicating with customers and employees
- advertise vacancies, share press releases
- participation and collaboration in sector based forums and discussion groups
A few moments on Google
(other search engines are available) will return numerous stories of social
media application postings bring disciplinary action and dismissals for (ex)
employees, including examples of a waitress complaining about poor tips from a
diner, a journalist challenging the management practices of his senior
executives, and an IT manager relieved of his position for openly discussing
the salary packages of his colleagues.
If unauthorised or negative
postings are located, it is imperative that organisations take prompt and
effective action to ensure that they are removed, and any resulting damage
minimised. Whilst there is valid debate around “freedom of speech”, this blog is primarily concerned with protecting organisational information assets in
these circumstances.
Software Vulnerabilities
Social media applications,
most notably Facebook and Twitter, offer users a bewildering array of third party software programs
and utilities, from games and news feeds to shopping channels and music
services. If an organisation is allowing any level of access to social media
applications, its supporting security policies should clearly state the
position on whether such downloads are permissible.
The threat remains that
users will not know the authenticity of the code that they are downloading to
the organisation's ICT infrastructure, and therefore cannot be certain that it does not
contain any malicious code that could compromise the user’s account, or worse the
wider corporate network. High profile social media breaches
are sadly all too common, and technical measures may need to be considered to manage such risks.
Summary
Social media applications are here to stay,
and organisations need to understand and assess the risks that they pose
alongside the benefits that they may provide. Effective controls should be implemented to
minimise the possibility of individual or corporate identity theft, data loss,
as well as the risks arising from downloaded malicious code.
An effective Information Security Policy,
Social Media Policy and Acceptable Use Policy should be in place to provide
clear direction to employees.Corporate information security training needs
to communicate the risks to the organisation, and equally the risks to the
individual which relate to their personal use of social media.
Whilst social media channels provide efficient and
cost effective means of distributing organisational communications, but their
content and authority to do so should be clearly defined. Maintain awareness of the possibility of
posts containing negative, unauthorised or misleading content, and understand
the steps to be taken to minimise the impact.
With our help, InfoSaaS will protect your business from social media related risks through an effective risk management framework. Please take a moment to view our website at http://www.infosaas.uk and register for updates for our new cloud-based information security software which will be launched on 1st October 2014.
With our help, InfoSaaS will protect your business from social media related risks through an effective risk management framework. Please take a moment to view our website at http://www.infosaas.uk and register for updates for our new cloud-based information security software which will be launched on 1st October 2014.
Acknowledgements
All trademarks of products
and services referred to within this blog are hereby acknowledged as being
registered to their respective organisations.