Recently I spoke with David Jacquet of the information security company, InfoSec Group, to talk about some of the security risks inherent in social media activity, and what businesses can do to protect themselves. David laid out the five biggest risks for me:
- Ignoring the risk. “Risk awareness is where it all starts! Information security is a business goal first and foremost. A lot of businesses are involved in social media, and I might add I think they should be. I think it’s a great vector of growth and marketing for most any enterprise out there. However, to do it without understanding the risks that it involves and are inherent to the practice of social media is extremely dangerous because you can’t protect yourself against what you don’t identify as a potential threat.
“There are many ways and many threats, in fact, with the use of social media. The number one thing is to be aware of it, and then to try and mitigate.”
- Not creating policies and procedures to protect the company. “It all starts at the top. I think it all starts at the policy level. I think it’s extremely important to create policies and procedures that clearly detail what is acceptable for employees to do and what is not acceptable for them to do, then to provide the supportive procedures about it. For example, I can say it is acceptable for my employees to use LinkedIn but not Facebook. Then I can potentially create a procedure that helps, step by step, my employees create the appropriate level of online participation in LinkedIn.”
- Not training employees on these policies and procedures. “The next level beyond the policy and procedure is to make sure to train your employees so that they understand that there are policies and procedures. They cannot be expected to follow a policy if they don’t know that policy exists, quite obviously.”
- Not tying in social media policies with information security policies and other business policies. “There are two types of policies that I would personally recommend be created:
“There would be those that are social media specific, and therefore probably do not currently exist in your array of business policies or security policies.
“Then there are the policies that already should exist, such as a password policy, for example, that should be augmented with whichever portion is appropriate to meet your needs on the social media side of things.”
- Not monitoring employees’ social media activities to ensure that they are respecting said policies and procedures. “There are a lot of things you can monitor and a lot of things you clearly do not have the time to monitor. For example, you cannot necessarily monitor each and every action that your employees are going to take online. And in a lot of ways, some people might argue that you don’t want to.
“At the same time, at a proxy server level, you can see how many people go to Facebook. If you have a published policy that says that nobody does Facebook on company time, you can monitor if it’s actually happening through looking at your logs for internet access.
“You can also have a certain person be responsible for very regularly scanning the Twitter activity of those employees that are allowed and empowered by the company to represent the company on Twitter, and make sure that the vocabulary used, the topics broached and so on and so forth are in agreement with the policies that have been created by the company.”
For the full transcript and some specific examples, be sure to check out Social Media and Security Risks for Businesses.
You can follow Rich Brooks on Twitter where he regularly tweets out corporate secrets.