GUEST COLUMN - Social network access in corporate environment: Restriction or awareness?

Monday, April 18, 2011

by Ricardo Mateus, security marketing specialist - data center, security and outsourcing, Global Crossing

When we speak about 500mn people, we might well refer to the third most populated country in the world, with a larger population than the US and Canada together. However, this is not about a nation, or at least not in the strict sense of a given geographic area. If we take into account that this impressive figure belongs to the number of users reached and surpassed by the famous social network Facebook several months ago, we might say we are witnessing the largest virtual nation on earth.

And the number stated above belongs to just one social network (yes, believe it or not, there are other networks besides Facebook). According to estimates, if we add users of all social networks currently available, the number will soon hit 1bn people.

Start your 15 day free trial now!


Already a subscriber? Please, login

With such a huge figure, certainly one of the concerns that might arise is: What is the social networks' secret to obtaining more than 10% of world population?

An answer could be in the fact that this social networks phenomenon has implied a complete shift in the way we communicate, share information and keep in touch with others.

Although this has been usually associated with entertainment and recreation, social networks have proven their role as a valuable tool to generate new business. This is a key aspect that companies have embraced over time, and therefore have increasingly found a way to keep in touch with their partners and customers - through social networks.

But there's much more. Social networks have permeated the corporate environment in such a way that, according to studies, a high percentage of employees access/log into social networks during business hours.

Certainly, a study wasn't really necessary to come to this conclusion. If we assume that social networks are part of many people's lives, and that loads of them spend most of the day in an office in front of a computer with internet access, we could certainly come to the same conclusion.

This issue has been identified by companies, many of which have stated their concern mainly because of productivity issues. But is this the only implication with respect to social network access in the corporate environment?

Unfortunately, no. From an IT security standpoint, access to social networks in the corporate environment entails several risks such as:

-Data flight: Frequently social network users share more information than necessary, either voluntarily or involuntarily.

-Information theft: Social networks contain a great deal of information freely available for millions of people.

-Legal implications: You need to know the implications that any information published by employees in a social network may have for the company.

-Malware: Different social network applications are the entry point for various kinds of malware (in particular, those meant to phish confidential information).

-Social engineering: Social network users are highly vulnerable to social engineering attacks, in particular key employees.

Bearing in mind the aforementioned, experts have understandingly included social networks in today's top 10 IT security threats. What actions can be taken in this scenario?

Due to productivity issues or awareness of the security risks, companies have in many cases chosen to completely deny access to social network sites. Is this really the solution, though?

In the first place, the key role of social networks can't be disregarded. According to analysts, in a few years social network services will replace email as the main communication tool for a good percentage of corporate users. This is not a surprise bearing in mind that instant messaging, often through social media, is gradually replacing email.

On the other hand, it is a fact that determined employees will use services available on the internet, regardless of any control implemented to block them. A few simple examples to illustrate: Have you ever seen some employees who still had access to messenger, despite having blocked access? Do you know of any "privileged" users in your company who, for no apparent reason, have access to internet services restricted to their peers? If you answered yes to either of these two queries (or anything similar to them), you will know what I mean.

But let's assume for a moment that we live in a perfect world where controls (either technological or administrative) implemented in your company work appropriately. What happens when users leave the office and access social media sites from their smartphones, or from their homes using company-provided equipment or their own? Risks remain latent.

Then, if according to the above, restricting access to social networks is not the right solution, what options do we have?

Awareness is the key. We only have to refer the European Network and Information Security Agency's (ENISA) concept of security awareness: "High personal awareness of the risks and available safeguards has been recognized as the first line of defense for the security of information systems and networks."

Please note that awareness must be supplemented with other features (controls, policies, etc), though without awareness, any other effort by a company toward information security may prove ineffective.

Returning to social networks. The following tips may be critical to start with in an awareness campaign for users in a corporate environment (in particular focusing on those employees with access to confidential information):

-Be wise and careful with any information you publish. Restrict the amount of information provided.

-If you have not initiated contact and you certainly do not know who is on the other side, do not provide sensitive information about you or the company you work for.

-Do not publish information that you would not share with strangers, or that you would not disclose personally. Keep in mind that internet provides public access.

-Be cautious with any application you decide to install.

-Do not use passwords that can be figured out easily.

Regarding supplementary awareness measures and social media access, below are some tips to strengthen your company's security position:

-Publish a corporate policy stating your company's position.

-Implement technological solutions that enable appropriate access control.

-Perform vulnerability analysis and penetration tests, including possible social engineering techniques.

As we have mentioned repeatedly, when it comes to information security, people are the weakest link in the chain. Therefore, it is never too late to begin with awareness campaigns in your company. Remember: Information is the most important asset.