Social media security: Three things to do, and three to avoid

Social media is sometimes regarded as a double-edged sword.

Social media is sometimes regarded as a double-edged sword.

On the one hand, short of getting all your customers, vendors, employees, partners and prospects together in one room, there is no better way to directly interact with key people quickly and effectively. Not to mention that should you ever try the all-together-in-one -room idea, it would get out of control very quickly: social media makes keeping track of interactions more manageable and, of course, the Internet allows for a variety of multimedia to be used and shared during any interaction. In this regard, one edge of the social media sword makes it a very useful business weapon.

The other edge of the sword is that social media is still a vast, uncharted, constantly-changing environment that makes it seem difficult for companies to ensure it is used safely and productively. Not having the proper measures in place to guard corporate data, secure connections and protect against increasingly-common malicious attacks via these channels can quickly make social media a losing proposition for any organization.

However, the fact of the matter is that plenty of companies use social media regularly, and to great effect. Similarly, more companies are accommodating ‘generation standby’ employees who expect to lead their social lives online throughout the work day in exchange for being expected to respond to work requirements after hours. There are still potential pitfalls, but the World’s corporations that have allowed social media use have clearly not suffered as a result, which means they must be able to dull the potential problem edge of the social media sword. What’s the key to making social media safe and effective?

Three things you definitely should NOT do:

  1. Create a new rulebook: The first thing to know about social media security is that, at its root, it’s still web security! Many of the same best practices that work for effective web and email security work well for social media security. Perhaps the only somewhat-meaningful difference is that social media security might require a stronger emphasis on outbound security: social media, after all, is much more of a two-way street than typical Internet traffic. Strong content management and filtering systems on the upload side of the connection are worth investing in so that corporate data stays where it should.

  2. Expect IT to do it all: Even the best IT team can’t see understand the full requirements of every department in your organization. Just as you would with other security policies, enlisting managers from various departments will have the dual benefit of a) allowing the nuances of HR security or financial compliance regulations, for example, to be integrated in to a more complete security policy, and b) not over-burdening the IT department by forcing them to judge what is acceptable or unacceptable behavior and make decisions that paint them as either ‘overprotecting’ the business and stifling the free flow of information or ‘under-protecting’ and allowing serious breaches to go un-blocked. Share the load. Be more protected.

  3. Block it and forget it: Blocking specific URLs works in some cases, but it is not a silver bullet. This holds even truer for social media as it is one of the most rapidly-evolving technology sectors these days. Take Facebook and Google, for example. Your company might not like the idea of allowing full access to Facebook, but might think Google applications are OK. But in the last few months, Google has experimented with a set of more social applications, most notably the now-defunct Google Buzz, which enabled many similar functions to Facebook. Blocking one site like Facebook might solve your problems one day, but before that day is out a rival social media site or service might launch with similar functions to the blocked site. Rather than wholesale blocking of sites, focus on security policies and systems that are more about the actual content being shared.

Three things you absolutely should do:

  1. Be clear: IT security has always had a mystique about it — like it is best conducted in secret by those who might actually use the phrase “you’re on a need to know basis.” This is an outdated, ineffective way of approaching security. A UK retail giant had a hard time dismissing an employee over a blog post they claimed damaged the company’s reputation when he defended himself by pointing out that the company had no clear policy on blogging. If the point is to keep problems from occurring in the first place, then making social media, Web, email and other security-related policies clear to employees is a more logical path to take. Bring security out of the black box.

  2. Be granular: Blanket security policies generally don’t work — even more so for social media. Many companies choose to assign ownership of interactions for certain online social mediums: one person for Facebook, another for customer forums, another for LinkedIn, for example. Not only does this mean that these people might need additional network privileges that others don’t, but the company might choose to share different kinds of data on LinkedIn than on Facebook. Different people. Different roles. Different sites. Different mediums. They all require different rules.

  3. Unify and simplify: We love smartphones because they let us do so much from just one device: talk, text, surf the web, email, listen to music — even access social media applications. Where possible, don’t complicate the issue of managing security across Web, email, remote workstations, social media policies etc. by trying to keep track of a different system for each. Increasingly-common are unified solutions that can federate content-inspection and encryption policies in one place and create reports and new policies in real-time across all digital communications channels.

People are used to being able to live their lives online whilst at work, and to shut out the mechanisms that make that possible — social media — is not just detrimental to employee productivity and motivation but can also be a potential revenue loss for the company as social media is turning in to a viable sales channel. It can seem like a situation that requires new tools and new people. In reality, it just requires more of the same strategies that have been proven to work already: personalization of policies, getting more people involved in the decision making and protection policy process, integrating solutions where possible, and making security policies transparent. So, as you were people.

Phil Vasic is Regional Director, APAC at Clearswift, the software security company,

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysocial media

More about APACClearswift Asia PacificetworkFacebookGoogleUnify

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Phil Vasic

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts