The Unbearable Riskiness of Being Social...

Monday, August 06, 2012

Neira Jones


The inevitability of social media in both our private and professional lives is undeniable.

With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information...

That is, of course, a valid concern, and looking at a recent survey by Grant Thornton, such concerns are top of the list:

(click image to enlarge)


As everyone agrees that this social media tidal wave is going to swallow us all up, we could reasonably assume that we are all already putting measures in place to retain some sort of control and manage our security and governance a bit better...

Alas, the same survey highlights two weirdly contradictory trends:

  • We know that social media adoption is inevitable: 68% think that social media will be an important or critical part of their marketing strategy going forward and 53% see the corporate use of social media increase significantly over the next 12 months.
  • We don't know how to manage social media: 73% do not have a clearly defined social media policy and 61% do not have an incident response plan to help them deal with fraud or data breaches. (if you're interested in incident response, see my earlier post).

Undeniably, the rise of social media is nothing extraordinary, it is merely an evolution of online communications with, amongst other things, the added dimension of breadth and public broadcast. Therefore, understandably, the controls requirements may also not be extraordinary.

Their implementation, however, may vary depending on how these technologies are deployed and used. For businesses, the challenge is the breadth of adoption and accelerated/ongoing use by both customers and employees.

Getting our own house in order...

Whilst I advocate the creation of social media policies, these should not be developed outside of existing corporate policies, but rather form an intrinsic part of current guidelines. In addition, businesses must be careful not to stifle the creativity that new technologies bring whilst maintaining employee awareness of ground rules for social communications. For this, flexible risk management policies are crucial and these need to evolve with the changing landscape and usage.

As employees intermingle their personal and professional lives online, businesses need to account for this expanding reach and a review of policies and guidelines becomes necessary, including:

  • Data Privacy/ Protection
  • Acceptable Use
  • Code of Conduct
  • Anti-Money Laundering
  • Sarbanes Oxley
  • PCI DSS, HIPAA, etc.
  • Marketing/ Solicitation/ Promotions/ Competitions
  • Anti-Bribery and Corruption
  • Employment
  • Endorsements
  • e-commerce
  • Brand guidelines
  • Intellectual Property

Social media guidelines should state when other internal policies apply as well as be clear on the ramifications of policy violation such as disciplinary or other action. Some organisations may consider monitoring to detect non-compliance.

In addition, the inter-mingling of both personal and professional communications on many social media platforms (e.g. privacy, information retention?) may prove challenging when trying to distinguish between the personal and professional personas of an employee. This is why ongoing education should be established and should encompass not only employees, but partners and other endorsers in relation to acceptable disclosure within the risk framework.

We have achieved this, and according to our organisational social media appetite, we can look at the potential impact the agreed social media use would have on our IT infrastructure. This is very well summarised below:

(click image to enlarge)


Looking after our customers...

The primary concern here is one of awareness: if businesses are establishing a social media presence, they should make their customers aware of the following:

  • How to protect their privacy on social media sites,
  • How to find and use privacy controls on popular social media sites,
  • Never to share sensitive information (in most cases, sensitive information will travel through systems that may not match the applicable data-protection measures and regulations),
  • How to be aware of permissions granted to social media sites such as perpetual license to provided information.
  • Which privacy rules apply for every site where you maintain a presence. (Do customers understand when their communications are operating under a social media site‘s privacy rules and not those of your business?)

In addition, as technology evolves, businesses will have to consider the implication of features that could potentially be an encroachment on customers' privacy, such as geo-location. They will also have to consider the implications of social media sites changing privacy policies, or mergers and acquisitions resulting in further sharing and/ or un-anticipated aggregation and potential further erosion of privacy.

After all is said and done, businesses are increasingly recognising the potentially game-changing benefits of social media and laggards will drag their feet at their own peril (see here and here).

As you expect, I will conclude by saying that it's all about risk... So here we go: what is the biggest social media risk? To ignore social media...

Until next time...

Cross-posted from neirajones

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Social Media Data Loss Prevention Information Technology Reputation Management Employees Policies and Procedures Enterprise Risk Management Proprietary Information
Post Rating I Like this!
Krypt3ia Nice play on an old movie title.
Neira Jones Thanks Krypt3ia! :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.