Security Challenges in Using Social Media
Date: Thursday , December 30, 2010
Social media sites have gained popularity in the past ten years as a medium to keep in contact with loved ones, business associates and friends. However, there can be drawbacks to the usage of the said media when one is employed in certain career fields, such as the healthcare industry. Utilizing social media networks can inadvertently give way to the sharing of confidential patient information with people that may not have a need to know which would then cause the company to violate HIPAA Security Rule compliance. The compliance risks increase with uncontrolled social media utilization.
Social Media has become part of the user community several years ago. Today we have social media in the corporate environment. The main problem we have is how social media has evolved. It has evolved to become a bottom up approach. By bottom up I mean that the consumer has determined how to use a technology and the corporation is playing catch up. But the social norms that are appropriate for a consumer “product” are not appropriate in a corporate environment.
Social media applications are not just a part of one’s personal lifestyle; this has also become incorporated in the corporate climate. Many places use social media applications for marketing, file sharing, communication, and employee recruitment. While these applications can open up a great many doors for communication, some form of guidance or governance is necessary. Because banning the use of such sites is most likely unenforceable or impractical, a hospital or other such entity that must shield private information should at least ask or force their employees to adhere to some Social Media Policy guidelines.
We can take a lot of security requirement from traditional IT security practices. For instance, when utilizing social networking sites, one should use separate passwords for the different sites, as an individual can easily hack all of one’s accounts if they know the one password. A security breach of one account could snowball. Passwords should be complex and change every 90 days. Accessing social media sites should be over SSL and only from trusted network connections, not coffee shops especially for business purposes!
When looking at confidential information, apply the same security requirements. A company would let an employee send out confidential information to someone who didn’t have authority to read it, so when using social media sites, do not let your employees post information that is confidential. In order to block them from doing that, you have to have social media monitoring tools in place to actually know what information employees are posting on the Internet.
Another thing one should not do is post his or her own identifying information publicly, such as date of birth, his or her social security number, or an employee ID number. If a site requires this information, 1) it is most likely not a reputable site, and/or 2) one could make something up or ensure that it is not going to be displayed in a profile that will be public. If your employees post too much personal information about themselves and your company, this could entice an attacker to try and gain access to your company with the information the employee has posted.
Some information may not be considered confidential; yet not posting these items to public social media sites is probably a good idea. This can include anything from rumors, to purchases the company plans on making, anything about the technology one’s company uses or will use, and any projects the individual may be working on. Develop and follow practical posting guidelines and do not share more information than is necessary in corporate social media activities.
If an employee’s personal posting about the company can be considered defamation or are targeting a customer or competitor, HR has to know to take action even if it’s difficult to measure the value of defamation. Laws already cover the social media posts of employees when it comes to things like defamation, confidentiality and intellectual property theft. There should be some level of monitoring off hours postings by employees.
Employees should be made aware through training and written social media policies that the company will be monitoring for confidential and proprietary information and activities such as defamation. Employees have to be made aware of the polices on the corporate brand image, intellectual property, who they friend, who they endorse, customer information, and other confidential information. Human resource monitoring should be strictly controlled. It can go wrong as was the case in 2006 when Hewlett Packard illegally used pretexting to gain information on employees. A number of senior managers were in trouble over the poor judgment in how to manage employee monitoring.
Social media usage is being retrofitted into the corporate environment. But the consumer is already used to using social media in an insecure, “information must be free” manner.
Employees who have been used to giving up all their information in places such as Facebook and Twitter must now be retrained to use social media in a whole different manner to meet corporate standards. (Assuming we have a corporate standard for social media security)
But what is a corporate standard for using social media in an appropriate fashion that does not put the company at risk? Corporations have not made a concerted effort to define that secure social media strategy, or even a strategy for training their employees in the “correct” use of social media. A social media policy is required to address all the concerns about employee posting, training in appropriate usage and monitoring and reporting of social media activity.
Social Media Policy Infrastructure
What is a good starting point for implementing a social media policy? Here is a basic guideline.
1. Define a policy – You cannot assume employees will do the right thing without guidance. You already have things like Expense Policies, Acceptable Use Policies, and Internet Use Policies. Write a basic guideline. What’s in that guideline will vary from company to company.
2. Information Classification – You have to explicitly define what information can be shared and what information should not be Tweeted or FaceBooked. If your employees do not know how valuable information is then you cannot blame them for inadvertently being sucked into the blogosphere.
3 Keep It professional – If you allow your employees to Socialize information about your company, you have to give them standards to follow. Things like cursing, grammar mistakes, casual conversation style discussions might not be the image you want to portray when discussing anything related to your company.
4. Tracking and Monitoring – If you are going to have a policy, you have to have a mechanism for tracking compliance, reporting on activity and have consequences for breaking that policy.
A baseline set of requirements has to be agreed upon between IT and HR and Legal departments to implement a secure social media strategy. This list of requirements can include:
l Defining the necessity for monitoring community managers and employees use of social media
l Understand and update security threats to social media platforms used by the company and monitor employee activity on affected platforms
l Monitor reaction and change in behavior based on training
l Monitor sites mentioning the company
l Track tools used by employees in social media usage
l Monitor activity of other organizations in your industry
l Monitor and report on what online communities are saying about your company
l Track the influencers in your industry and those specific to your brand
l Monitor your competitor’s use of social media
CEO, KRAA Security