Security Think Tank: What are the risks associated with social-media use, and who owns these risks?

Is social media a security problem? What are the security risks associated with social-media use, and who owns these risks?

Is social media a security problem? What are the security risks associated with social-media use, and who owns these risks?


Deeper relationships must be balanced with reputational risk

Avtar Sehmbi, member of ISACA London security advisory group, head of security and IT risk management, Deloitte

Let's start by asking whether social media presents an increased security threat. Leaving aside the much-promoted benefits of collaboration and interactivity, as a risk and controls expert I believe social media do indeed introduce an increased level of risk with several complex and evolving dynamics which need to be understood and managed so that our businesses can operate securely.

My first challenge is to fully understand the risks associated with social media.

I count myself lucky in that my role as head of security at Deloitte means I get to work alongside one of the best advisory teams in the market. Our Information & Technology Risk practice has over 550 world class security and technology risk specialists who can help me look at the complex and fluid concept of social media from all angles.

They have served a great variety of organisations on risk matters and have invaluable experience looking at how social media risks are managed elsewhere, so that I can take advantage of that knowledge and apply it at Deloitte.

With such a spectrum of expertise and knowledge, I am well positioned to provide support and consultancy to safely take advantage of social media. These activities could range from knowledge transfer and awareness, definition and communication of usage policies and providing support for technical security deployments.

I am also involved in consulting within the business, including antivirus, internet filtering, key word searching, incident response, rights management, architectural design (in the case of unified communications), and the list goes on.

I often get asked the question, "What are the risks around social media?" The answer is multifaceted, as there is now an emergence of a complex mix of technologies and mediums present in social media environments. With unified communications gaining more traction, the integration with social media is just around the corner: for example the seamless and intuitive connection between enterprise systems such as Outlook with social media elements such as Twitter, LinkedIn, and Facebook, creating a complex but interesting security architectural element to consider.

Data dissemination and its boundaries also now become a greater challenge and the risks around regulated and personal data have caused much excitement within the security manager's circles across the globe.

Social media is now no longer restricted to your PC - the technology is available on smartphones, PDAs, tablets, PCs and just about anything that has the ability to transfer data or be part of a network. This creates new avenues for malware propagation, bringing concerns about availability and information theft.

Social engineering is still a big concern, attracting privacy, identity theft and fraud worries. There is still no real concept of authentication in these environments, and human beings are generally trusting by nature.

However, we understand the benefit of operating business in social environments: business is a social activity and the informal tone of social media communication does bring benefits, such as the promotion of deeper relationships, mass communication, positive marketing and extended networking opportunities.

This fluid nature of communication is a double-edged sword and also brings with it reputational risk. The fact that your staff are now representing the firm in an informal sense can lead to inappropriate exposure of opinion and, by default, association with the firm.

So who owns the risks?

It is the role of the business to assess the benefits of marketing and communications via social media and to what depth the integration and automation between existing technology systems and these environments should exist. The risk appetite is firmly set by the business and all business risks are owned by the firm, although the management of that risk may be delegated to security teams.

Finally, as Deloitte's head of security, I am here to make complex business technology tools and environments accessible and less risky for the firm's operation. Social media is now a lucrative way for Deloitte to build its business and profile and we must embrace it by being innovative in our security thinking and using our security expertise to reduce risk.


Outright ban puts social media beyond policy control

John Colley, managing director EMEA, (ISC)2

The problems reported with Ping highlight what has, up to now, been the lesser recognised risk associated with social networking. Much has been made of the risk of employees sharing sensitive information, trade secrets or even just making their employers look bad with their antics on social networking sites.

Less understood are the technical risks that are developing with these sites. They are becoming the favoured playground for spammers, clickjackers, and botnet administrators, particularly those, like Ping, that have a high public profile. Malware picked up by a computer visiting one of these sites can invade any network to which the computer is or later becomes connected.

Understanding the risks will involve understanding the context in which social networking takes place. A policy that bans social networking during working hours, for example, will not cover the executive that takes his computer home in the evening, and perhaps lets his son or daughter hop onto Facebook or Ping before bedtime. Children's use of parent's work computers is something our members observe frequently in their volunteer outreach to schools for the Safe and Secure Online program.

Who owns the risks? This is probably the most important question here. The answer, like all security risks, will depend on the context of the organisation and should cover all stakeholders, from the user to the CEO. The security professional must take an account of the vulnerabilities introduced and should review whether technical and policy controls are sufficient. This will put the spotlight on the attention paid to endpoint security, and makes a case for supplementing infrastructure with application-based firewalls.

That said, it will be what happens at a policy level that will have the biggest effect on risk mitigation. Banning social networking altogether will push it underground where no-one can track the vulnerabilities. Educating and working with employees will foster the understanding required to develop the policies everyone can buy into.


Content-based risks trickier than technological threats

Andrew Walls, research director at Gartner

The massive popularity of social media has surprised many security teams. Unfortunately, when surprised, many security managers and business leaders react by battening down the hatches and denying all access. In the case of social media, this default to deny approach is neither appropriate nor effective.

Generally speaking, the risks associated with social media use can be clumped into two groups: technological threats and content-based threats. The technological threats are the obvious risks such as malware distribution and infection. Content-based risks include inappropriate distribution of intellectual property or offensive content, phishing, retention of business records and revelation of private or confidential information in a public setting.

The technological threats are not unique to social media. The viruses, worms and cross-site scripting exploits that propagate in social media are common to all forms of web traffic. As a consequence, these threats are well known to the purveyors of anti-malware solutions and endpoint protection suites. Organisations should look to their regular suppliers of these products to manage social media technology threats.

Content-based threats are more difficult to prevent or detect using automated systems. Fundamentally, content-based threats are shared by all forms of human communications. We see similar risks in e-mail, phone calls and conversations over coffee. Control of content threats is achieved by influencing the communications behaviour of employees across all forms of communication, not just social media. This is the province of corporate governance administered by the human resources organisation, legal counsel and personnel managers. The IT security team can assist to a limited extent, but responsibility lies with the people and organisations in charge of corporate communications.

Social media is a form of software as a service (SaaS). The popular systems - such as Facebook - are available from just about anywhere on the internet. This creates a serious problem for any organisation that thinks blocking access from work will prevent security problems from social media. Employees can access social media from home or a handheld device, after all. Blocking access at the work site prevents the corporation from observing and supervising employee use of social media, but it does not lessen the security risk.

A number of solutions are available from suppliers such as Socialware and Facetime Communications, that enable the organisation to provide controlled, filtered and monitored access to the three most popular social media outlets (Facebook, LinkedIn and Twitter). These solutions enable fine tuned access control to social media features, filtering of content uploads and the capture and retention of business communications. Security teams should also avail themselves of social media monitoring, analysis tools and services to discover information posted in public environments that relates to the security of the corporation.

At the end of the day, "just say no" is not an effective strategy for social media security. The only way to control social media use is to enable use through a monitored and filtered channel that is backed up by a social media monitoring and analysis programme to detect breaches and emerging threats.


The fundamental issue is not the technology but the information

Raj Samani, ISSA UK

Social media applications represent a dramatic change in the way businesses generate additional revenue, and this view is shared by three out of four organisations (from an interview of 1,000 organisations across 17 countries) according to a recent report from Purdue University. However, with the offer of such riches comes significant risks; a reported six out of 10 organisations experienced a security incident as a direct result of such applications with the average loss reported for a large organisation at $4.5m.

The primary cause for such losses was due to virus and malware infections, with one-third of interviewed organisations experiencing virus infections. However infections are not the primary cause for concern, with data leaks, the potential for an increase in spam, and exposed entry points ranking high on the list. Such concerns have resulted in many organisations blocking access to social media applications, and subsequently blocking access to new revenue streams in a time when many organisations are struggling to stay afloat. The adage that security is a blocker to business is never truer than the binary decisions being taken today. However attractive a new opportunity is, there will always be a risk that is deemed unacceptable.

In the case of social media, the risk to allow employees access will be borne by the business; the employee, however, will continue to use such applications either at home, or more than likely using their smartphone in work hours or, worse still, breaching policy and finding a way to circumvent controls on company equipment.

The fundamental issue with social media is not the technology but information; ensuring that users understand the value of information and the risks is key to reducing the overall risk to the business. Failure to develop this understanding will only result a similar question being asked in the future; is technology 'X' a security problem? Just like a few years ago the question was "is e-mail/internet/etc a security problem?"

A recent presentation delivered by a very well-known CISO stated that "the social media cat is well and truly out of the bag", and organisations are facing the risks of social media even if they don't know it.


Can the business justifiably manage something that is social and organic?

Dani Briscoe, services manager, The Corporate IT Forum

The rise of social media in the corporate world is leading to many organisations simply shutting down access as a form of control rather than leveraging the potential benefits. The Forum has seen a noticeable increase in use amongst the membership - in 2009 members were interested in social networking technologies but in a more theoretical and less concrete way than now.

Members are now hitting on more tactical solutions to specific problems, for example using Twitter to notify of service outages. A large part of this appetite is driven by marketing functions and the business wanting greater access to Facebook, LinkedIn and various in-house flavours of the same. For many IT groups, trying to prevent this clamour is akin to deploying Canute to hold back the tide.

Nevertheless there must be more to gain than lose from the onward march of these technologies. Security is often the stake in the ground to which IT ties itself; and yet, as any sophisticated information security professional will attest, it is a matter of managing risk rationally.

Members have identified privacy, phishing, data loss, identity theft, social engineering and file sharing as risks that they are facing with social networking technologies. In our recent workshops - "Social networking - friend or foe?" and "Corporate access to social network sites" - reputational damage, loss of data and an increase in malware and virus frequency were discussed as the most harmful and those that need to be mitigated first. There is also a concern around time wasting by employees spending time on these sites over and above what may be classed as acceptable.

Managing these risks is a constant balancing act between protection and business requirements. In our social networking Reality Checker Survey, conducted in August this year, members overwhelmingly voted that the business should own any content present but that IT should own the 'security' of these sites. User awareness is something that all IT security professionals push and strive for but continually sending the same message can lead to a workforce deaf and blind to the risks and implications.

Acceptable Usage Policies are also being used in those instances where access to these sites is managed, members that do regulate access use a three-pronged strategy of policy, policing and prevention. Although this can lead to the strange dichotomy where users are denied access but that there is a corporate presence on the social networking site.

To mitigate the risks of employees taking part in uncontrolled and external social networking, a growing number of members are providing an internal version of Facebook or using other services, such as Yammer, which can be restricted to an internal audience. This is gaining favour with many IT departments but is it ultimately missing the point of social networking? Does restricting its use internally simply reduce it to a richer form of e-mail or instant messaging?

Discussion continues over whether social networking can or indeed should be controlled. The very term implies that it's not a corporate area so can IT or the business justifiably manage something that, by its very nature, is social and organic?


Individuals must understand the value of their personal information

Mike Westmacott, member of BCS Security

Whether we use it and like it, or not, social networking and media systems are here to stay. There are a number of different varieties with the common concept that it is the end users that provide the content that is served up to other users.

As with all systems the organisations that produce them have a duty of care to create applications that are secure with regards to their operation - among many issues they need to ensure that access controls are properly designed and implemented, that the users are protected from malicious content such as cross-site scripting, and that information which should not be public is kept confidential.

On the other side of the firewall there exists responsibility too - that users must be aware of their own personal attack surface and manage how much information they reveal about themselves and their peers. With every piece of information we place online we expose ourselves further, and without care this information can be combined and used against us in a variety of ways.

The organisations that produce social networking and media websites clearly see value in the information that we entrust them with, whether that be directly, such as the CVs on LinkedIn for which access to all users details may be purchased, or indirectly, such as Apple's Ping which serves as a marketing tool for iTunes.

The issue of data mining for advertising and product development is also prevalent, as happens in the physical world with loyalty cards. If we were to be prevented from uploading our lives, then the value of these businesses would surely be diminished - along with the value that they bring to us.

What we must consider is the trade-off when using such services: In order for our online lives to be enriched we must sometimes expose ourselves. To protect the individuals who use social media and networking we need to provide information to allow them to understand what that tradeoff is by understanding the value of their personal information.

Read more on IT risk management