Social networks - what are risks and implications for IT security?
Social networks such as Facebook, LinkedIn and Twitter have become an integral part of everyday life. These sites are 21st century phenomena, though, along with that promise and opportunity come risk and implications when users access these networks from the office and share information about themselves.
Social networking is viral and, in some cases, anonymous in nature, leading to social sites being viewed as fertile targets for hackers and criminals alike. Reasons being that social media itself allows the users to personalize their online identity and easily share information.
lack of visibility and control
Many organizations have limited or no control of social networking. Reference to this link. This might stem from ignorance of the technology or simply a naive approach to protect the organization from social network perils. These organizations usually use URL filters to either allow complete access to a site and every bit of content therein – or fully restricted access.
The problem lies in identifying and controlling what users access once they get onto the site, including inappropriate material and compromised documents. Most organizations lack the ability to see and analyze content once users are on the site in order to enforce policy at that level.
broadening attack surface
People have a misconception that malicious code is only coming from the dark abyss of the web, like pornography or gaming sites. How wrong this is: according to the Websense State of Internet Security, Q1-Q2 2009 survey, almost 80% of the malicious codes come from legitimate sites. Traditional security mechanisms are defenseless against these threats.
They have “mutated” into such sophisticated states that they are able to slip through the gaps of anti-virus and URL filters. These could result in a user downloading a malware application that can uncover a company’s trade secrets.
potential for data loss
Social networking is about making connections and sharing experiences and information, however, sometimes that information is not meant to be made public. It is not uncommon that users intentionally post confidential information on the site. Imagine a software programmer inadvertently posts a proprietary software code to social networking sites, disclosing intellectual property. All these could seriously impact the organization’s reputation or even put the company at the competitive disadvantage.
needing a unified organizational approach
A unified approach is the best way to ensure a comprehensive protection against what social network throws at the organizations. Organizations today need to find new ways to leverage the power of Web 2.0 without worrying about malware, inappropriate content disclosure of sensitive information.
These should include user security awareness training which should also cover the common social network malware scams and social engineering techniques used to procure personal or login information. Of course the use of strong passwords should be mandatory. Web monitoring tool should also include DLP tool that prevent accidental or intentional data disclosures.
Ultimately, social networking is here to stay, in personal and business domains; IT executives need to think hard when it comes to maximizing the potential benefits of social networking and minimizing the risks.
Who says life is easy?