CISOs take measured steps to reduce social media risks

By Matthew DeBarros, Contributor 08 Feb 2010 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

The increasing use of social media at many enterprises has CISOs on guard, but a new report urges security professionals to take measured steps to reduce social media risks, rather than outright ban employees from visiting social websites.

Results of a recent survey conducted by Cambridge, Mass.-based Forrester Research Inc. indicated that the adoption of social media in enterprises has doubled in the past year from 11% in 2008 to 22% in 2009, said Khalid Kark, vice president and principal analyst at Forrester. Kark predicted that the numbers will continue to climb.

"There is adoption of social media going on, and it is getting slightly more acceptable to use some of the social media sites at work," Kark said. "The rate of this change is very significant. We're not talking about a 5% or 20% increase; we're talking about this total doubling in one year."

The Forrester report, "Twelve Recommendations For Your 2010 Information Security Strategy," explains how taking a careful and measured approach toward planning an information security strategy in 2010 could help address skyrocketing social networking use and insulate enterprises against the threats they pose.

Tony Spinelli, chief security officer at Atlanta-based credit information firm Equifax Inc., leads a social media committee consisting of the company's sales, marketing, IT and security staff. Spinelli said the company has taken a holistic approach by dealing with social media in an open forum. The goal has been to use social media as a tool to connect with customers and at the same time protect against data leakage.

"We've tried to be balanced and put safeguards in place to ensure data protection when employees are visiting social media sites," Spinelli said.

The expanded use of social media within organizations may be causing some CISOs to rethink the way they protect sensitive data, including intellectual property. Kark said he talked to one CISO who likened the increase of social media usage to a "freight train coming, and we have to figure out what our defenses are going to be, or else we're going to be crushed."

That line of thinking doesn't bode well at organizations like Equifax, where company marketing teams are finding success targeting specific users on social networking sites. If there is a business use, CISOs must rethink how to deploy defenses to mitigate the increased risk while addressing the needs of the sales and marketing teams.

"If you allow social media in your environment without any defenses or controls, than yes, that is going to increase your risk," Kark said. "There's a fine balance at play here."

A change in data ownership
Kark breaks down his recommendations into three subsets: change in technology, change in business expectations, and change in (security data) ownership. IT teams can no longer say they "own" data, especially with the increased use of outsourcing operations to third parties, Kark said. He added that security operations are also being outsourced and organizations need to set expectations to ensure data is being properly protected.

"If you rely on the outsourcer to build your security," Kark said, "they're going to do the bare minimum, because they're there to make money."

Kark said that security professionals need to take a more proactive approach and roll with the rapid pace of technology changes. Involving employees in security decisions, as Equifax has, can help reduce risks. A security-savvy employee can often detect a threat before most security systems, Kark added, so organizations should utilize humans as their first line of defense, devise a security strategy that best suits their needs, and embrace new technologies that can provide a secure work environment.

"Security needs to adjust to the realities of the business and when they do there are three core areas that you need to focus on in terms of protecting: the people, the process, the technology," Kark said.

It has taken CISOs time to wake up to address the rising use of social media in the workplace, said security expert Lenny Zeltser, who leads the security consulting practice for Savvis, and is a faculty member at the SANS Institute. Zeltser said that at first CISOs were in the "denial stage" when faced with the security risks social media sites posed, but more CISOs have made it to the "acceptance stage."

"I would like to see more open access within organizations," Zeltser said, "but this can only happen if companies invest in proper monitoring tools, and train their employees in how to properly use them."

Tags: Security Policies and User Awareness,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy Essential guide: Pandemic planning for H1N1 Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary