Social media sites are “very sophisticated because they are very well-packaged,” said Sizemore. “It’s very tricky because you have to manage to allow a user to use a Web site, but not access specific pieces of a Web site,” he said.
These sites can’t be tracked well and may contain vulnerabilities that are untraceable to a lot of security technologies on the market. Many enterprise technologies, from Web filtering to traditional firewalls to network security devices, are inadequate to deal with these challenges, said Sizemore.
“You have to have something on the machine that is smart enough to understand there is an application within that Web site, and a lot of firewalls can’t do it today, and a lot of the typical solutions on the end points aren’t able to do it today,” he said.
The first thing IT must do is educate employees, he said. “You have to start educating employees about how to actively use IT in a manner safely from a privacy (and) confidentiality perspective, not a specific program or a specific application,” he said.
Employees must understand what confidential data is, so when they are on these sites, they understand the ramifications of what they are doing, he said. “A lot of these tools are very immature with social media today, but once we fix that social media site, there will be another … at some point, you have to start to retrain users,” he said.
“The risk with social media is all about the leakage of information,” said James Quin, lead analyst at London, ON-based Info-Tech Research Group Ltd.
While traditional risks are about people pulling data out of the organization, often by breaking into the network illicitly to steal information, social media is a push problem. And because a lot of social media is created on-the-fly, organizations don’t necessarily review the material, he said.
“They don’t have the time to make sure that information that shouldn’t be leaked isn’t being leaked by actively reviewing the content that is being posted, so the risk is that employees are either maliciously or accidentally sharing information that they shouldn’t,” he said.
The early technical response was to just block social media and put tools in place to disallow that kind of traffic across the network. Many organizations are still doing that, Quin said. But an increasing number of organizations are starting to make use of social media for business purposes, and in doing so, they have to open up the network, he said.
Info-Tech is starting to see more organizations take technical measures to protect themselves against social media risks, said Quin. These include exerting technical controls on employee behaviour, such as content monitoring technologies that watch and control what is happening via that social media channel, he said.
There are a few steps IT should take when developing a social media policy, said Quin. First, determine whether you really need social media in your business model. “Find out if it actually is something that you should be doing. If it’s something that you shouldn’t because you have no real need for it, ban it, because the risk is significant,” he said.
If you come to the conclusion that you need social media, the next step is to determine who needs to use it, he said. “Where possible, restrict its use to just those people,” said Quin. The third step is to make sure you put technical controls in place, like data leakage protection, which will monitor the information flow to ensure that inappropriate information is not being leaked, he said.
Social media presents two general threats to enterprises — phishing attacks and disclosure of intellectual property, said Andrew Storms, director of security operations at San Francisco-based nCircle Inc.
Most technology workers are now blending their work and personal lives, meaning they probably spend some time at work on social media sites and perform some work in their free time at home. This blending of work and personal life is making it more difficult for employees to think twice about how they are using social media at work, he said.
“The best thing to do at this point is to accept and get ahead of it,” said Storms. To get ahead, IT must “understand and recognize the fact that these things are happening all the time and everybody is participating,” and decide to address it through open conversation within the organization, he said.
One way of doing this is by adding a social media component to annual security awareness training requirements, Storms suggested. “Come forward and say, ‘We recognize that people are using computers for personal social media at work. Let us help you understand what it means to be using that in a safe and sane way,” he said.
“If you really would like policy to be enacted and followed, you need to get out of your cube and go talk to people, because let’s face it: You can’t block everything,” he said.