Social media: A security challenge and opportunity

Generation Y workers are posing increasing security challenges to their employers as they share data unreservedly

This article can also be found in the Premium Editorial Download: CW Europe: The security risk sweeping Europe

New and recent entrants to the global workforce are posing increasing security challenges to their employers as they mix personal and private lives.

Nowhere is this more evident than in the use of social media, often accompanied by a low regard or even total disregard for privacy concerns.

Some 91% of Generation Y students and workers believe the age of privacy is over, while a third are unconcerned about the data that is captured about them, according to the latest Cisco Connected World Technology Report.

“More Generation Y workers globally said they feel more comfortable sharing personal information with retail sites than with their own employers' IT departments,” says Cisco.

This attitude is at odds with business concerns about the disclosure of commercially sensitive information through social media to potentially hundreds of millions of Twitter and Facebook users.

In Europe, concerns about privacy linked to security are particularly acute, as evidenced by proposals for a new cyber security directive that link privacy and security.

The proposals aim to impose EU-wide reporting requirements on companies that run large databases, including social networking firms.

Although the final wording of the directive remains to be seen, the proposals are a good indication of just how seriously European authorities view data breaches.

Threats associated with social networking

But not only is social networking a threat to a company’s security because of what employees might disclose, but also because social networking sites are a prime target for cyber criminals.

According to the Cisco 2013 Annual Security Report, the highest concentration of online security threats are on mass audience sites, including social media. The report revealed that online advertisements are 182 times more likely to deliver malicious content than pornography sites, for example.

The ability of individuals to share information with an audience of millions is at the heart of the particular challenge that social media presents to businesses. In addition to giving anyone the power to disseminate commercially sensitive information, social media also gives the same power to spread false information, which can be just as damaging.

The rapid spread of false information through social media is among the emerging risks identified by the World Economic Forum in its Global Risks 2013 report.

The report’s authors draw the analogy of shouting “Fire” in a crowded cinema. Within minutes, people can be trampled to death before a correction can be made to the message.

In addition to giving anyone the power to disseminate commercially sensitive information, social media also gives the same power to spread false information

There have been several incidents over the past year where false information transmitted on the internet has had serious consequences, according to the report. 

For example, a fake tweet by a someone impersonating the Russian interior minister, claiming that the Syrian president had been killed or injured, caused crude prices to rise by over $1 before traders realised the news was false.

Harnessing the power of social media

The unprecedented reach of social media is something companies cannot afford to ignore because of the positive and negative effect it can have on the business.

Its power must therefore be recognised and managed. In the UK, BT is one firm that has done just this. Its customer service team runs a sophisticated social media operation across the most popular services.

The strategy is helping BT improve its reputation for customer service, and producing a clear return on investment for the business, according to Warren Buckley, managing director for customer services at the telco.

BT has created its own software to trawl social media services for references to the company, he told CIOs and IT leaders at a meeting of Computer Weekly’s 500 Club in 2012.

The results enable BT to respond quickly to complaints and queries, and the technology is paying for itself by helping BT retain customers, who could otherwise defect to rivals, said Buckley.

BT is also harnessing the power of social media in other ways. During the London riots, for example, BT turned to social media to help ease the strain on the 999 emergency line.

“We tweeted, ‘Only call 999 in an emergency', and within 15 minutes we were back to answering calls within three seconds and the number of calls dropped off,” said Buckley.

Like BT, investment bank Investec has technology in place to measure sentiment on the internet by picking up any mentions of the bank in social media, mainly for marketing purposes.

However, it forms part of the bank’s strategy to reduce the risk of social media becoming an insider threat to information security.

The other technology piece is a granular firewall to limit social media activities based on the user's role in the organisation.

Manage social media with policies and technology

The most important part of Investec’s social media security strategy is awareness of its policies designed to ensure regulatory compliance and to prevent commercially sensitive information leaking.

The bank’s social media policy comprises just 10 bullet points that make it clear to staff what their obligations are every time they publish something online.

“There is no way organisations can hold back the flow of social media, so it is better to put policies and technologies in place to manage it,” says David Cripps, information security officer at Investec.

There is no way organisations can hold back the flow of social media, so it is better to put policies and technologies in place to manage it

David Cripps, Investec

“Organisations need to understand social media; they need to accept that it is not going away, and if they allow it, they need to monitor for any immoral, illegal, offensive content, and be able to stop it immediately if it occurs,” he told attendees of the Gartner Security & Risk Management Summit 2012 in London.

Companies that recognise the value and threat of social media have demonstrated that success is achieved through empowering staff to undertake social media on behalf of the organisation in line with a comprehensive policy backed up with continual training.

However, companies should also recognise that analysis of the information in social conversations can produce security intelligence to improve security processes and enhance performance, according to Gartner analyst Andrew Walls.

“Analysis of public conversations can identify imminent, credible threats of physical or logical attack,” he wrote in a 2012 Gartner paper entitled Security Tools for Control of Social Media.

Wall also cautioned against attempts to block access to external social media because they have proved to be ineffective at controlling risks and impede the development of enterprise social media initiatives.

“Unfortunately, organisations that block access to social media rarely analyse social content for security intelligence and remain ignorant as to the risk and potential of social media,” he said.

Image: iStockphoto/Thinkstock

Read more on Privacy and data protection

Data Center
Data Management