Protecting Your Business From Social Networking Suicide
The pros of social networking outweigh the security cons, but the risks to corporate image and data are still significant
Policy
While an acceptable use policy is not a solution in and of itself, it is a necessary component of any Internet safety program. Draft a document that explains why employees must follow the policy, provides concrete examples of how to follow the policy and gives details regarding the penalty for not doing so. All employees, regardless of rank or job task, must be required to sign a statement saying they have read the policy.
Education
In spite of the fact that most IT employees would rather be waterboarded with bamboo shoots under their finger nails while listening to Barbra Streisand singing in “Yentl” than actually explain something to a user, a solid social-computing safety training class is a powerful preventive measure that will yield benefits. Education can take place in a classroom setting or online; in either case, make sure you know who took the class and who didn’t.
Employees need to understand the risks to their personal information as well as to corporate data and reputation. Training should start with an overview of the threats that are present, progress to the benefits of social networking, and provide detailed examples of what is safe and what is not. Employees should feel free to ask questions, especially because this is somewhat of a gray area where many issues require clarification.
Technology
There are technological approaches to protecting users on social networks. Of course, a multilayered, defense-in-depth security strategy should be maintained. This means protecting endpoints, servers, networks and network perimeters. Many of today’s attacks use multiple vectors, so protection must be comprehensive. For example, an imposter may become a user’s Facebook friend and then email him a link to a malware site. Security approaches that could be involved countering this include email filtering, web filtering and desktop anti-malware. DLP and networking monitoring play a role also.
In addition, more and more upper-layer devices are coming on the market in an attempt to address the security concerns presented by social networks. These range from devices that make background checks on Facebook accounts to sophisticated DPI (deep packet inspection) network devices that scan incoming and outgoing traffic for threats. As expected, a combination of approaches is most potent.
One example of such a product is the recently reviewed FaceTime USG 350. This 1U (1.75-inch) box monitors instant messaging and web content, alerting and blocking when it discovers dangerous communications. In my testing, I coupled the FaceTime USG 350 with a Blue Coat Systems ProxySG 200 via ICAP to provide complete packet analysis, both unencrypted and SSL (Secure Sockets Layer) encrypted, and a client proxy solution. I easily configured a wide variety of hierarchical policies using regular expressions to prevent sharing of personally identifying information. For example, “XXX-XX-XXXX” blocks transmission of Social Security numbers via IM and posts to social network sites. Plus, with the ProxySG 200 I could enable web content filtering and malware scanning. I configured my firewall to only allow web traffic to flow to and from the ProxySG 200 and, quite honestly, this combination of protections made me feel safer.
Most businesses can benefit from social networking, so simply banning these sites does your marketing and customer relations teams a disservice and leaves a huge door open for competitors. Embrace the triumvirate of security — policy, education and technology controls — to help minimise the risks presented by this growing phenomenon.