How to protect your organisation in the era of social networking
Social networking and security: it’s a combination that many companies think just don’t mix well. Unfortunately, banning social networks won’t work long term, and handing out corporate guidelines and hoping for the best do little to calm management worries. This is because neither of these approaches gets at the fundamental security issue of social networking. Because in a “social” world, security starts and ends in the hands of the individual.
The popularity and adoption of social networking and messaging platforms have been driven by a sometimes false sense of connectedness and intimacy. As individuals interact, they consider social networks to simply be broader, more virtual versions of their social lives. This is dangerous, because in reality, they aren’t.
In social networking, we can’t depend on the same cues to establish trust. In real life, we rely on personal interaction — not the number of links we have in common — to decide whether to recommend someone to a colleague or discuss a work project. As has been true for years on the Internet, it is very hard to know with certainty, who you are communicating with, and what their motivation is.
Protecting corporate information, preventing against network hacks, and lowering the risk of malware all come down to teaching employees to stop trusting the sense of intimacy they instinctively feel on social networks. Helping them learn that people online aren’t necessarily who they think they are; teaching them to be savvy about these new social links, rather than blindly trusting them are essential.
This kind of understanding can seem abstract, but it can be developed through practical steps and lessons:
• Learn to respect the power of information: Teach employees to be aware of how simple it is for someone to gather and abuse their personal information. Everyone avoids the well-known email scams, but we aren’t nearly as savvy about the scams that can lurk behind an email invite containing a pointer to, say, a local college alumni group on Facebook. Such email can be personalised, or based upon knowledge about you, which makes it seem real. That illusion, and the ease with which the information is gathered, are at the root of the problem.
• Learn to verify the link: Get people sensitised to the difference between the text (what you see) and the target (where you are sent) in the hyperlinks found in emails or pointers. One way I do this is to train employees on how to send emails with hyperlinks in them. When they send an article to a colleague, they describe the topic of the link, explain where it comes from, and then they paste the actual link in their message.
• Create boundaries: Remind employees about the danger of engaging in their personal online interactions while at work. Banning social networks is impractical, but using interactive apps, such as video or social networking and chats while at work can have unintended consequences. Asserting a sense of discretion around the use of different social networking tools, based upon the environment, can help people to prevent accidental disclosures and missteps.
• Learn to verify the connection: Teach employees to be more careful about their connections. People trust that because someone reaches out to them for a friend or connection request, they are who they say they are. But what if someone has created a false persona or isn't trustworthy? If someone I’m linked to asks me for a favor, such as a recommendation, I’ll get on the telephone to call them, to first validate their identity.
• Learn to disconnect: Explain to employees about the detailed picture they create when they provide information through different accounts, whether Google +, Twitter, LinkedIn, or Facebook. The assembly or mash-up, of this information isn’t hard, and simply posting from a single ID or persona for your personal and professional lives isn’t safe, as it paints a picture that’s easy to exploit. On LinkedIn, I’ll provide a detailed history of my professional career, but if I comment on a blog about my personal opinions or hobbies, I don’t use a username that can be linked back to my professional data.
Traditional security practices of encouraging employees to connect through secure networks or use strong passwords are important steps to managing risk, but the allure and potential of social networks adds a new dimension of necessary awareness for your employees and organisation. Remember to keep your users informed and aware, and to remain secure, by helping them to see their social networks through clear, and not rose-colored glasses.
The author is Business Unit Executive, Security Solutions,