Social Media Policies Protect Benefits, Reduce Threats

Social media policies are a hotly debated topic. Many organizations flat out block access to popular social networking sites such as Facebook and Twitter, or allow very limited access to these sites outside of traditional business hours. On the other end of the spectrum, some organizations have an open access policy, allowing employees to interact with any site at any time. Advocates of each of these approaches are fierce in the defense of their respective policy and stance on social media. Each camp has salient and valid points.

Social media has incredible value in terms of the relevance and timeliness of content, and -ˆ’ despite much clamoring to the contrary -ˆ’ it is an incredibly useful business medium.

For instance, Twitter is the most current and up-to-date source of breaking news today. Much of what used to be consumed through blogs and RSS feeds now hits Twitter long before it appears in any of these other media. In fact, many prominent industry bloggers no longer blog, but tweet exclusively. If Twitter is blocked in an enterprise, employees will miss out on an immense swathe of relevant news.

In addition, Instant Messaging and social media are the primary methods of communication for many employees, and in many cases, surpass email usage. With the consumerization of IT and blurred boundaries between business and personal contacts, Instant Messaging allows users to sync up with a business contact easily, whether it’s through Facebook chat, Google+ or a Twitter direct message -“ during or after business hours. The medium is irrelevant -“ the communication is key.

Finally, today’s workforce is incredibly mobile. Between travel, working remotely, being on-site with a client or visiting another corporate office, executives today depend on various forms of social media that they can access anywhere via any device. It has become integral to how they work, and completing their job without this mobile capability would be incredibly difficult, if not impossible.

With the waves of millennials entering the workplace, the amplification of these needs and reliance on social media is easily understood. Social media is to these knowledge workers a tool in the vein of what the telephone was to many Gen X employees. It is their lifeline -“ they have grown up in an always-on, always-connected world where they can socialize ideas and topics with peer groups that they trust. When corporations ban all access to social media, they take away the tools of today’s young and innovative work force.

However, aside from the great benefits social media offers, it does introduce a myriad of risks to the enterprise.

Exploiting Trust, Complexity
If a hacker can exploit an individual, they can now take down an enterprise. The human element has always been the weakest link in security, and within a paradigm where peers and friends connect, influence decisions and share information, trust is paramount. It is this very trust that malicious users and attackers exploit, and social media provides a convenient, real-time and widely adopted channel for such attacks.

Social engineering, or the manipulation of people, is an incredibly difficult attack vector to defend against. An essential arrow in the quiver of an effective social engineer is a detailed profile of a target -“ the more information and familiarity a would-be social engineer can amass on a potential target, the better equipped she is for success in her endeavors. Social media is a goldmine in this respect, and even false relationships can be built to further garner trust.

Apart from profiling employees and organizations, the trust relationships inherent to social networking are exploited in other creative ways by attackers to carry out older exploits via a new medium. The malware of the past propagated via email, infecting a compromised host and spreading by emailing itself from the host user to that user’s entire contact database. Malware today spreads similarly via social media, with many examples of compromised social media accounts posting to their friends lists and contact databases with enticing headlines and content. Major social media players, such as Facebook, Twitter and LinkedIn, have all unwittingly propagated malware in this fashion. The same logic applies -“ one inherently trusts a friend more than a stranger, and is more likely to click on the posted link.

This risk of a compromised corporate network increases exponentially when one considers the plethora of third-party plug-ins and apps that grow in viral popularity on an almost daily basis. The federation of such code and the linking of multiple social media profiles to one another dramatically increase the attack exposure, and in many cases relies on security controls in software that is not core to the provider in question. Complexity has always been the enemy of security, and this level of interconnected complexity does not bode well.

Weigh the Risks, Benefits
Given both the positive aspects and the drawbacks to social media, which approach to social media is best?

The answer, as with most security issues, is that there is no single solution that is applicable across all organizations. In each case, the enterprise risk profile must be weighed against the relevant security policy and risk assessment, as well as the benefits social media offers to the company.

In most cases, neither of the extreme cases is ideal -“ a middle ground should exist. Companies should be able to protect themselves and their employees without limiting access to tools.

Technologies and processes are available today to allow access to social media, but to limit specific components and plug-ins. For example, one can elect to permit access to Facebook, but block certain third-party apps, such as Farmville, or even the chat function. Such policies can also be applied granularly, to specific users, or during certain time frames, or any combination of the above.

The key to a beneficial social media policy is to understand the usage patterns and the business case, understand the risks, and weigh these appropriately to make the best decision for the business as well as the user base. Decisions will vary according to a number of different factors that may include, but are not limited to, the size of the company and whether the company is public or privately owned. Enterprises must protect their businesses, but at the end of the day, communication is key, and overly restrictive policies that are an impediment to this communication flow will inevitably be broken.

Nicholas Arvanitis is principal security consultant for Dimension Data Americas, the $4.7 billion global ICT services and solutions provider. With more than a decade of IT security experience, Nick specializes in security assessment and penetration testing. He can be reached at [email protected].