There has been a lot of discussion around the security risks associated with social networking sites, especially when it comes to malicious attacks carried out by cyber criminals. But employees disclosing confidential data and the secure usage of social identities in business processes are quickly emerging as other areas of apprehension for IT admins and business managers.
Companies are increasingly using identity data created on social media sites to conduct business transactions, as it often provides for improved efficiency and better communication with customers. In fact, a number of identity and access management (IAM) protocols, such as OAuth, have emerged that facilitate identity-based interactions between businesses and social media sites. But organizations that rely upon identity information provided by third parties, such as Facebook and Twitter, must balance the benefits of doing so with the security and liability risks that can result.
Lighthouse Security Group has compiled the following tips to help companies securely use social networking sites in business processes.
Click through for five tips to help balance the risks of using social networking sites in business processes, as identified by Lighthouse Security Group.
Without being a part of their network, there is no reliable way to monitor what employees are disclosing on social media sites. Making employees and other business audiences aware of the risks associated with social networking and educating them on security best practices when using these sites can be a good first line of defense in a layered risk management strategy.
Are employees able to access social networking sites at work? Are they using social media for work purposes? Are social identities being used in business processes? These are all relevant questions that must be considered when defining strong social networking policies. If employees are going to identify what company they work for on social media channels, then they should not be posting proprietary corporate data, opinions about their job, or information relevant to their job function under any circumstances — doing so can put companies at risk of suffering from social engineering attacks or other malicious threats.
Companies that use a protocol, such as OAuth, to delegate authorization (e.g., function of applications) with social media sites, need to be cognizant of the security policies those sites have in place internally. This is a critical factor in determining the level of trust a company should put in the identity data resulting from social networking channels.
Companies that trust the fact that users are who they say they are because they can delegate authorization to a specific social media site risk overstepping the boundary of legitimate “trust”, as social identities are hardly authoritative — anyone can sign up for one free of charge and promote fake identifying information. The bottom line? Companies should treat social identities, and users’ ability to authenticate themselves via social identities, as little more than a convenience. They should not rely upon the authenticated identity, or the identity data from a social profile as authoritative… or anything they’d otherwise base a sensitive transaction upon.
More and more people are now accessing social networks on their mobile phones and other consumer devices. The geolocation data resulting from these devices can put sensitive company data at risk without employees even realizing it. Interested third parties can use factors such as the location, time, date, frequency and type of posts to determine sensitive information about a job, project, partnership or other business asset.
While it’s not necessarily possible to monitor all information an employee may post to social media sites and networks, companies can take preventative measures through the usage of common Web security technologies. While employees are at work, or logged into the company network, a good practice is to use a Web filtering technology that either manages or prohibits altogether employee access to social media sites, like Facebook and Twitter. This will cut down on the potential for employees to share sensitive company data while keeping employees on-task. Employing the use of Data Leakage Prevention (DLP) technology can also add another layer of defense against employees proliferating sensitive company data.